Factors Affecting Password Manager Adoption among European University Students

Password is the most common method of proving the identity on various online services. More and more sensitive information gets stored online: banking details, healthcare data, educational and corporate data. Due to the increasing amount of accounts, users face the challenge of creating and remembering various passwords of high complexity. To deal with such challenges and improve password management practices, security professionals suggest the use of password managers, also known as password managers. However, this tool has not gained much popularity among the end-users. The purpose of this thesis is to identify and examine the factors that may affect the adoption of password managers. In this regard, I have proposed a research model based on the Unified Theory of Acceptance and Use of Technology (UTAUT) and Task Technology Fit (TTF) models. Data (N=265) was collected from students enrolled at one of European universities using a online survey. For this purpose, data was collected using mailing lists and Facebook page of a crowdsourcing site. PLS-SEM was used to test the proposed model with a usable data set of N= 265.analyze the data sample collected with the means of a questionnaire. The results of the analysis show that performance expectancy and social influence affect behavioral intentions. Task technology fit, facilitating conditions, and behavioral intentions directly affect password manager adoptions, while performance expectancy, social influence, effort expectancy, and technology characteristics are the main factors that affect password manager adoption among European students indirectly

Cloud Password Manager Using Privacy-preserved Biometrics

Using one password for all web services is not secure because the leakage of the password compromises all the web services accounts; while using independent passwords for different web services is inconvenient for the identity claimant to memorize. A password manager is used to address this security-convenience paradox by storing and retrieving multiple existing passwords using one master password. On the other hand, a password manager liberates human brain by enabling people to generate strong passwords without worry about memorizing them. While a password manager provides a convenient and secure way to manage multiple passwords, it centralizes the passwords storage and shifts the risk of passwords leakage from distributed service providers to a software or token authenticated by a single master password. Concerned about this one master password based security, biometrics could be used as a second factor for authentication by verifying the ownership of the master password. However, biometrics based authentication is more privacy concerned than a non-biometric password manager. Therefore, our goal in this thesis work is to design a privacy preserved and security enhanced password manger by using the human unique biometrics attributes. Based on the purpose, several technical aspects i.e., authentication schemes, existing password manager taxonomy, biometrics template protection, offline storage techniques, encryption and decryption algorithms and so on have been surveyed in this thesis. A novel scheme for password manager authentication, password binding, releasing and protecting is proposed. On the basis of the proposed scheme, a global structure is designed for a real password manager named NBLpass, which is implemented as well. NbLpass password manager uses the proposed privacy-preserved and security-enhanced scheme through combining facial features with plain text password, and it is capable of working locally and being synchronized with a cloud database. By using the NBLpass password manager, a user needs only to login to the password manager using one password (called the master key) and his / her freshly captured biometric data prior to the authentication of a web service

Análise da Gestão de Palavras-Chave

Gradualmente, tem-se vindo a verificar que a informação pertencente aos diversos utilizadores da Internet está cada vez mais exposta a ataques. Estas invasões comprometem os seus dados, e, para isso, têm surgido algumas respostas, tais como a segurança da informação. Um dos fatores que se destaca e que está relacionado com esta é a autenticidade. Técnicas de biometria e chaves eletrónicas são exemplos usados para a assegurar, na informação. Porém, o mecanismo que mais sobressai é a utilização de um par constituído por nome de utilizador e palavra-chave. Contudo, este tem revelado alguns problemas associados. Ora, se é usado um único segredo para salvaguardar todos os recursos privados, e este é descoberto, a informação do utilizador estará inteiramente comprometida. Já no caso de serem empregues múltiplas passwords, corre-se o risco de haver o esquecimento das credenciais de acesso. Por outro lado, existem inconvenientes se estas são curtas (facilmente encontradas) ou longas (difíceis de memorizar). Dadas as situações relatadas, têm vindo a ser aplicados gestores de palavras-chave. Tais métodos permitem o armazenamento dos segredos, bem como a sua criação, podendo estes ter vários tipos de resoluções, variando entre técnicas locais, móveis, ou até mesmo baseadas na web. Todas elas possuem vantagens (dependendo do cenário), assim como desvantagens comuns. De forma a verificar se estas ferramentas disponibilizam a segurança prometida, foi executada uma análise intensiva a alguns programas, escolhidos pelo seu desempenho e notoriedade, que já se encontram no mercado. Caso não se mostrassem eficazes, seria proposta uma aplicação, com vista a resolver os problemas descobertos. Porém, concluiu-se que já existe um mecanismo que oferece a salvaguarda pretendida. Assim, foi feito unicamente um estudo sobre as abordagens que podem ser adotadas, destacando a que se apresentou como mais adequada.It has been verified, gradually, that information belonging to different Internet users, is increasingly exposed to attacks. These invasions compromise their data, and so, some answers have arisen, such as information security. One of the most important factors, related to this concept, is authenticity. Biometrics and security tokens are examples used to ensure it. However, the mechanism that stands out more, is the pair composed by a username and password. Nevertheless, this has revealed some problems. If a single secret is used to protect all the websites, and it’s discovered, users’ information will be fully compromised. If there are used multiple passwords, there may be a risk of forgetting access credentials. On the other hand, there are drawbacks if they are short (easily found) or long (hard to remember). Considering the reported statements, password managers have been applied. Such methods allow to store and generate passwords, and can have different types of solutions, ranging between local, mobile or even web-based. All of these have advantages (depending on the scenario), as well as common disadvantages. In order to check if these tools offer the promised security, it was performed an intensive analysis to some programs, chosen by their performance and reputation, that are already on the market. If they proved to be ineffective, an application to solve the discovered problems would be proposed. However, it was concluded that a mechanism providing the desired protection, already exists. Thereby, it was only conducted a study about the approaches that can be adopted, pointing out the one that was presented as more appropriate

An Investigation into Possible Attacks on HTML5 IndexedDB and their Prevention

This thesis presents an analysis of, and enhanced security model for IndexedDB, the persistent HTML5 browser-based data store. In versions of HTML prior to HTML5, web sites used cookies to track user preferences locally. Cookies are however limited both in file size and number, and must also be added to every HTTP request, which increases web traffic unnecessarily. Web functionality has however increased significantly since cookies were introduced by Netscape in 1994. Consequently, web developers require additional capabilities to keep up with the evolution of the World Wide Web and growth in eCommerce. The response to this requirement was the IndexedDB API, which became an official W3C recommendation in January 2015. The IndexedDB API includes an Object Store, indices, and cursors and so gives HTML5 - compliant browsers a transactional database capability. Furthermore, once downloaded, IndexedDB data stores do not require network connectivity. This permits mobile web- based applications to work without a data connection. Such IndexedDB data stores will be used to store customer data, they will inevitably become targets for attackers. This thesis firstly argues that the design of IndexedDB makes it unavoidably insecure. That is, every implementation is vulnerable to attacks such as Cross Site Scripting, and even data that has been deleted from databases may be stolen using appropriate software tools. This is demonstrated experimentally on both mobile and desktop browsers. IndexedDB is however capable of high performance even when compared to servers running optimized local databases. This is demonstrated through the development of a formal performance model. The performance predictions for IndexedDB were tested experimentally, and the results showed high conformance over a range of usage scenarios. This implies that IndexedDB is potentially a useful HTML5 API if the security issues can be addressed. In the final component of this thesis, we propose and implement enhancements that correct the security weaknesses identified in IndexedDB. The enhancements use multifactor authentication, and so are resistant to Cross Site Scripting attacks. This enhancement is then demonstrated experimentally, showing that HTML5 IndexedDB may be used securely both online and offline. This implies that secure, standards compliant browser based applications with persistent local data stores may both feasible and efficient