peterstory
commented
2 years ago Hello @mikibakaiki! Is there any chance you could share a link to your paper, "SmartPasswords: Increasing Password Managers’ Usability by Generating Compliant Passwords"?
Open mikibakaiki opened 2 years ago
peterstory
commented
2 years ago Hello @mikibakaiki! Is there any chance you could share a link to your paper, "SmartPasswords: Increasing Password Managers’ Usability by Generating Compliant Passwords"?
mikibakaiki
commented
2 years ago Hey there @peterstory :) Sorry for the late reply!
Here is the link for my thesis. I would suggest you look into the thesis itself because it is more detailed than the extended abstract :)
peterstory
commented
2 years ago @mikibakaiki Thank you for sharing that link! However, I see a message that:
Thesis documents not publicly available yet
Any idea when the thesis document itself will become available?
mikibakaiki
commented
2 years ago Oh, i thought it was! I'm unsure, but ill try and get a link ASAP!
mikibakaiki
commented
2 years ago @peterstory Here it is, this time working 😄
peterstory
commented
2 years ago Excellent, thank you for sharing! :)
Hey everyone!
I recently finished my Masters Degree and my dissertation was about "SmartPasswords: Increasing Password Managers’ Usability by Generating Compliant Passwords".
In this project, we built a prototype of a password manager that could interpret password rules and generate compliant passwords. We based our work on this repo and mainly, the rules and the parser.
During the development of the project, we came up with some improvements that we now would like to share with you, and hopefully, have them incorporated here :)
You can view our repo here.
Contributions
New Rules
blocklist- indicates password managers to check the generated password --- and any substring of it --- against a list of forbidden passwords. This behaviour is suggested by researchers [1] . This rule takes two values:default: the password manager will check the password against a list of the top 100k most used passwords, according to SecListshibp: the password manager will check the password against Have I Been Pwned's list, which contains more than 500 million passwords.So if the default list contains the words
hello,world, and123, with theblocklist: default;rule present, passwords that contain any substring that matches these 3 words should not be generated.minclasses- allows the specification of the minimum number of character classes that must be present in the password.So, for the rule
minclasses: 2;the password can have a combination of any two character classes. From our understanding, this was not achievable with the base rules established here. This allows for the description of common research policies, such as 3c8 --- at least 3 character classes and a minimum length of 8.New Option
We also added a new option: allow the specification of a range for both characters and character classes.
To use this option, one only needs to add parenthesis followed by the minimum range and the maximum range ---
<custom_character_class>(minimum_range, maximum_range) | <character_class>(minimum_range, maximum_range)This allows for greater flexibility to express more restrictive policies.
Example
required: upper (3, 5); required: [aeiou](5,5); allowed: special (0,4); lower; minlength: 14;The password must contain at least 3 uppercase letters and no more than 5 The password must contain exactly 5 lowercase vowels The password can contain, at most, 4 special characters The password can contain lowercase letters
This new option also allows for the translation of all Google's API records to the Password Policy Rules formats. Because Google's API has constraints regarding minimum and maximum frequency of character classes, this new option would facilitate the translation, mentioned in this issue.
Misc
Hopefully, our work can be a valuable addition to this amazing project.
I am available to discuss further details :)