CredProxy: A Password Manager for Online Authentication Environments

Abstract

Internet users are increasingly required to sign up for online services and establish accounts before receiving service from websites. On the one hand, generation of strong usernames and passwords is a difficult task for the user. On the other hand, memorization of strong passwords is by far more problematic for the average user. Thus, the average user has a tendency to use weak passwords, and also reuse his passwords for more than one website, which makes several attacks feasible. Under the aforementioned circumstances, the use of password managers is beneficial, since they unburden the user from the task of memorizing user credentials. However, password managers have a number of weaknesses. This thesis is mainly aimed at alleviating some of the intrinsic weaknesses of password managers. We propose three cryptographic protocols which can improve the security of password managers while enhancing user convenience. We also present the design of a phishing and Man-in-the-Browser resistant password manger which best fits into our scheme. Furthermore, we present our novel virtual on-screen keyboard and keypad which are designed to provide strong protection mechanisms against threats such as keylogging and shoulder surfing.