Verified password generation from password composition policies

Grilo, Miguel; Campos, João; Ferreira, João F.; Almeida, José Bacelar; Mendes, Alexandra

Verified password generation from password composition policies

Bibliographic Details
Main Author:	Grilo, Miguel
Publication Date:	2022
Other Authors:	Campos, João, Ferreira, João F., Almeida, José Bacelar, Mendes, Alexandra
Language:	eng
Source:	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
Download full:	https://hdl.handle.net/1822/89761
Summary:	Password managers (PMs) are important tools that enable the use of stronger passwords, freeing users from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust PMs. In this paper, we focus on a feature that most PMs offer that might impact the user’s trust, which is the process of generating a random password. We present three of the most commonly used algorithms and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt to specify and verify our reference implementation. In addition, we present a proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs. This demonstrates that our formally verified component can be integrated into an existing (and widely used) PM.

Item metadata

id	RCAP_f74738c5e47b3ee4d9b52a95e830e241
oai_identifier_str	oai:repositorium.sdum.uminho.pt:1822/89761
network_acronym_str	RCAP
network_name_str	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository_id_str	https://opendoar.ac.uk/repository/7160
spelling	Verified password generation from password composition policiesPassword managerRandom password generatorFormal verificationSecurityEasyCryptJasminInteractive theorem provingVerified compilationBitwardenEngenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e InformáticaScience & TechnologyIndústria, inovação e infraestruturasPassword managers (PMs) are important tools that enable the use of stronger passwords, freeing users from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust PMs. In this paper, we focus on a feature that most PMs offer that might impact the user’s trust, which is the process of generating a random password. We present three of the most commonly used algorithms and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt to specify and verify our reference implementation. In addition, we present a proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs. This demonstrates that our formally verified component can be integrated into an existing (and widely used) PM.This work was partially funded by the PassCert project, a CMU Portugal Exploratory Project funded by Fundação para a Ciência e Tecnologia (FCT), with reference CMU/TIC/0006/2019 and supported by national funds through FCT under project UIDB/50021/2020.SpringerUniversidade do MinhoGrilo, MiguelCampos, JoãoFerreira, João F.Almeida, José BacelarMendes, Alexandra2022-062022-06-01T00:00:00Zconference paperinfo:eu-repo/semantics/publishedVersionapplication/pdfhttps://hdl.handle.net/1822/89761engGrilo, M., Campos, J., Ferreira, J.F., Almeida, J.B., Mendes, A. (2022). Verified Password Generation from Password Composition Policies. In: ter Beek, M.H., Monahan, R. (eds) Integrated Formal Methods. IFM 2022. Lecture Notes in Computer Science, vol 13274. Springer, Cham. https://doi.org/10.1007/978-3-031-07727-2_15978-3-031-07726-50302-97431611-334910.1007/978-3-031-07727-2_15978-3-031-07727-2https://link.springer.com/chapter/10.1007/978-3-031-07727-2_15info:eu-repo/semantics/openAccessreponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiainstacron:RCAAP2024-05-11T04:59:28Zoai:repositorium.sdum.uminho.pt:1822/89761Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireinfo@rcaap.ptopendoar:https://opendoar.ac.uk/repository/71602025-05-28T15:04:50.292382Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologiafalse
dc.title.none.fl_str_mv	Verified password generation from password composition policies
title	Verified password generation from password composition policies
spellingShingle	Verified password generation from password composition policies Grilo, Miguel Password manager Random password generator Formal verification Security EasyCrypt Jasmin Interactive theorem proving Verified compilation Bitwarden Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática Science & Technology Indústria, inovação e infraestruturas
title_short	Verified password generation from password composition policies
title_full	Verified password generation from password composition policies
title_fullStr	Verified password generation from password composition policies
title_full_unstemmed	Verified password generation from password composition policies
title_sort	Verified password generation from password composition policies
author	Grilo, Miguel
author_facet	Grilo, Miguel Campos, João Ferreira, João F. Almeida, José Bacelar Mendes, Alexandra
author_role	author
author2	Campos, João Ferreira, João F. Almeida, José Bacelar Mendes, Alexandra
author2_role	author author author author
dc.contributor.none.fl_str_mv	Universidade do Minho
dc.contributor.author.fl_str_mv	Grilo, Miguel Campos, João Ferreira, João F. Almeida, José Bacelar Mendes, Alexandra
dc.subject.por.fl_str_mv	Password manager Random password generator Formal verification Security EasyCrypt Jasmin Interactive theorem proving Verified compilation Bitwarden Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática Science & Technology Indústria, inovação e infraestruturas
topic	Password manager Random password generator Formal verification Security EasyCrypt Jasmin Interactive theorem proving Verified compilation Bitwarden Engenharia e Tecnologia::Engenharia Eletrotécnica, Eletrónica e Informática Science & Technology Indústria, inovação e infraestruturas
description	Password managers (PMs) are important tools that enable the use of stronger passwords, freeing users from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust PMs. In this paper, we focus on a feature that most PMs offer that might impact the user’s trust, which is the process of generating a random password. We present three of the most commonly used algorithms and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt to specify and verify our reference implementation. In addition, we present a proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs. This demonstrates that our formally verified component can be integrated into an existing (and widely used) PM.
publishDate	2022
dc.date.none.fl_str_mv	2022-06 2022-06-01T00:00:00Z
dc.type.driver.fl_str_mv	conference paper
dc.type.status.fl_str_mv	info:eu-repo/semantics/publishedVersion
status_str	publishedVersion
dc.identifier.uri.fl_str_mv	https://hdl.handle.net/1822/89761
url	https://hdl.handle.net/1822/89761
dc.language.iso.fl_str_mv	eng
language	eng
dc.relation.none.fl_str_mv	Grilo, M., Campos, J., Ferreira, J.F., Almeida, J.B., Mendes, A. (2022). Verified Password Generation from Password Composition Policies. In: ter Beek, M.H., Monahan, R. (eds) Integrated Formal Methods. IFM 2022. Lecture Notes in Computer Science, vol 13274. Springer, Cham. https://doi.org/10.1007/978-3-031-07727-2_15 978-3-031-07726-5 0302-9743 1611-3349 10.1007/978-3-031-07727-2_15 978-3-031-07727-2 https://link.springer.com/chapter/10.1007/978-3-031-07727-2_15
dc.rights.driver.fl_str_mv	info:eu-repo/semantics/openAccess
eu_rights_str_mv	openAccess
dc.format.none.fl_str_mv	application/pdf
dc.publisher.none.fl_str_mv	Springer
publisher.none.fl_str_mv	Springer
dc.source.none.fl_str_mv	reponame:Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) instname:FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia instacron:RCAAP
instname_str	FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
instacron_str	RCAAP
institution	RCAAP
reponame_str	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
collection	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP)
repository.name.fl_str_mv	Repositórios Científicos de Acesso Aberto de Portugal (RCAAP) - FCCN, serviços digitais da FCT – Fundação para a Ciência e a Tecnologia
repository.mail.fl_str_mv	info@rcaap.pt
_version_	1833595085302792192

Verified password generation from password composition policies

Similar Items