Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

BluePass: A Secure Hand-Free Password Manager

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_10,
        author={Yue Li and Haining Wang and Kun Sun},
        title={BluePass: A Secure Hand-Free Password Manager},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Password manager Two-factor authentication},
        doi={10.1007/978-3-319-78813-5_10}
    }
    
  • Yue Li
    Haining Wang
    Kun Sun
    Year: 2018
    BluePass: A Secure Hand-Free Password Manager
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_10
Yue Li1,*, Haining Wang2,*, Kun Sun3,*
  • 1: College of William and Mary
  • 2: University of Delaware
  • 3: George Mason University
*Contact email: yli@cs.wm.edu, hnw@udel.edu, ksun3@gmu.edu

Abstract

With the growing number of online accounts a user possesses, managing passwords has been unprecedentedly challenging. Users are prone to sacrifice security for usability, leaving their accounts vulnerable to various attacks. While replacing text-based password with a new universally applicable authentication scheme still seems unlikely in the foreseeable future, password managers have emerged to help users managing their passwords. However, state-of-the-art cloud based password managers are vulnerable to data breach and a master password becomes a single point of failure. To address these security vulnerabilities, we propose BluePass, a password manager that stores the password vault (i.e., the set of all the encrypted site passwords of a user) locally in a mobile device and a decryption key to the vault in the user computer. BluePass partially inherits the security characteristics of 2-Factor authentication by requiring both a mobile device and a master password to retrieve and decrypt the site passwords. BluePass leverages short-range nature of Bluetooth to automatically retrieve site passwords and fill the login fields, providing a hand-free user experience. Thus, BluePass enhances both security and usability. We implement a BluePass prototype in Android and Google Chrome platforms and evaluate its efficacy in terms of security, usability, and overhead.