The theft of passwords and other user credentials from online services has become an epidemic, with password breaches regularly impacting large user populations and leaving both consumers and businesses vulnerable to attack. A number of research results point the way toward methods that could greatly improve the security of password systems. There is thus both an urgent need and a clear opportunity to transform the general state of industry practice in password management. Toward this end, the researchers build an easy-to-deploy password-protection system called PASS. PASS incorporates recent research on state-of-the-art methods to protect passwords and related user credentials into new innovations. PASS aims to make available to even the smallest organizations a complete, principled, server-side password protection system that offers far stronger security by default than any known existing system. PASS transitions later stage research into practice and develops novel extensions to several of the PIs' recent research innovations, including: (1) Pythia, a service for password hardening. Password hardening is technique that applies a cryptographic transform to stored and user-submitted passwords to render them hard to crack. Pythia incorporates a novel and practical such cryptographic transformation, known as a verifiable partially-oblivious pseudorandom function. This transform not only hardens passwords, but also protects against compromise of the service that applies the cryptographic transform and makes it easy to update stored password data, thereby minimizing the impact of a breach. (2) Honey objects: A well established method for mitigating the damage caused by a breach is to incorporate fake or decoy data or services into a system. These objects, often called 'honey objects', serve to divert or deceive an adversary. PASS will incorporate honey objects such as fake user and administrative accounts, doing so in a way that builds on the PIs' recent research into principled use of such objects. (3) Typo-tolerance: In support of an emerging industry practice that enhances usability for clients, PASS will support the optional acceptance of passwords with certain common typographical errors. PASS will enable deployers to avoid current ad hoc methods for such typo-tolerance and instead leverage recent and ongoing research results to achieve a principled security / usability tradeoff. By offering these novel tools in a mature, modular development ecosystem for engineers and researchers, PASS serves not only as a platform to democratize advances in password-protection technologies but also as a stimulus and proving ground for new, practice-oriented research in the security community.
TTP: Medium: Democratizing Secure Password Management