Anuj Gautam

Abstract:  Password managers help users more effectively manage their passwords, yet the adoption of password generation is minimal. One explanation for this problem is that websites' password composition policies (PCPs) can reject generated passwords, creating a usability impediment. To address this issue, we design a PCP language that websites use to describe their PCP and that managers use to generate compliant passwords. We develop this language using an iterative process involving an extensive collection of PCPs scraped from the Web. We provide libraries for adopting our PCP language into websites and password managers and build proof-of-concept prototypes to verify the real-world feasibility of our PCP language. Using a 25-person user study, we demonstrate that our language and libraries are easy to pick up and correctly use for novice developers. Finally, we replicate and extend past research evaluating Web PCPs, showing that half of PCPs fail to require passwords that resist offline attacks when considering that users prefer certain character classes when selecting their passwords.

• Download paper
• Download presentation slides
• Download data archive

Abstract:  There is limited information regarding how users employ password managers in the wild and why they use them in that manner. To address this knowledge gap, we conduct observational interviews with 32 password manager users. Using grounded theory, we identify four theories describing the processes and rationale behind participants' usage of password managers. We find that many users simultaneously use both a browser-based and a third-party manager, using each as a backup for the other, with this new paradigm having intriguing usability and security implications. Users also eschew generated passwords because these passwords are challenging to enter and remember when the manager is unavailable, necessitating new generators that create easy-to-enter and remember passwords. Additionally, the credential audits provided by most managers overwhelm users, limiting their utility and indicating a need for more proactive and streamlined notification systems. We also discuss mobile usage, adoption and promotion, and other related topics.

• Download paper
• Download data archive

Abstract:  Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we evaluate mobile autofill frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues, they also enforce insecure behavior and fail to provide password managers sufficient information to override the frameworks' insecure behavior, resulting in mobile managers being less secure than their desktop counterparts overall. We also demonstrate how these frameworks act as a confused deputy in manager-assisted credential phishing attacks. Our results demonstrate the need for significant improvements to mobile autofill frameworks. We conclude the paper with recommendations for the design and implementation of secure autofill frameworks.

• Download paper
• Download presentation slides
• Download presentation slides
• Download data archive

Abstract:  Password-based authentication is the predominant method for securing access on the web, yet it is fraught with challenges due to the web’s lack of inherent design for authentication. Password managers have emerged as auxiliary tools to assist users in generating, storing, and inputting passwords more securely and efficiently. But both the browser and the server are oblivious of the password manager’s presence, leading to usability and security issues. However, because the web wasn’t originally built to accommodate password-based authentication, password managers serve as a temporary fix and encounter several usability and security problems that limit their widespread use. This dissertation proposes a novel approach to enhance the usability and security of password-based authentication by integrating authentication as a core component of the web infrastructure, through the introduction of standardized interfaces for the interaction among browsers, password managers, and websites. To achieve this, the dissertation introduces four implementations as an exploration: (1) the development of a Password Composition Policy (PCP) language designed to standardize and enhance password generation processes; (2) the creation of a Secure Browser Channel (SBC) aimed at bolstering security of passwords against prevalent web threats such as cross-site scripting (XSS) attacks and malicious browser extensions; (3) implementing the concept of SBC in FIDO2 passwordless authentication to show that the concept is important to more than just passwords; and (4) the application of SBC in different context than credential entry – the detection and auditing of browser-based attacks. We implemented and performed real-world evaluations, demonstrating their practical viability and effectiveness in improving web authentication. The dissertation concludes with reflections on the lessons learned from these implementations and outlines future research directions that could further cement authentication as an integral, first-class component of the web, thereby substantially improving the security and usability landscape of web authentication.

• Download paper