Skip to main content

Research Talk:  Usable and Secure Password Management

Date:September 10, 2012 
Talk Title:Usable and Secure Password Management
Speaker:Jeremiah Blocki, Graduate Student, Carnegie Mellon University
Time & Location:12:00pm - 1:00pm
CIC Building, Pittsburgh


Although millions of users use passwords everyday to protect important assets (e.g., online banking, trading, commerce, email, social networks, and enterprise resources) we do not know how to create secure and usable passwords. A typical computer user today has many password protected online accounts: Amazon, eBay, PNC bank, Gmail, etc.. Informally, a password management scheme is any method for creating and retrieving each password. A typical user has to select and remember a password for over one-hundred different accounts. Many sites have vastly different password requirements: minimum length, maximum length, special characters, capitalization, etc. Intimidated by the prospect of remembering so many different passwords many users adopt an insecure password management scheme: writing down passwords, reusing passwords and picking weak (low entropy) passwords. A large scale study of password habits revealed that in 2007 a typical user had no more than 7 unique passwords and reused each password around 4 times on average. While there are many articles (and even several books) on how to generate good passwords, there is still a clear need to develop password management schemes which are usable and secure.

We are interested in password management schemes which can be implemented on "human hardware". A good password management scheme should be usable and secure. Informally, a password management scheme is usable if a human can create and recall passwords without too much effort. We present a mathematical framework for analyzing the security of a password management scheme. In this framework a secure password management scheme must provide concrete security guarantees even against an adversary who has already learned one or more of the users passwords. Using this framework we introduce a secure password management scheme and present evidence that this password management scheme is usable.

This is joint work with Manuel Blum and Anupam Datta.

Speaker Bio

Jeremiah BlockiJeremiah Blocki is a graduate student at Carnegie Mellon University in the Computer Science Department, where he is pursuing a PhD. He has also completed his undergraduate studies at Carnegie Mellon University where he double majored in Computer Science and Mathematics. Blocki is fortunate to be co-advised by Manuel Blum and Anupam Datta. He is also very thankful to be supported by a NSF Graduate Research Fellowship.