Verified password generation from password composition policies

Abstract

Password managers (PMs) are important tools that enable the use of stronger passwords, freeing users from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust PMs. In this paper, we focus on a feature that most PMs offer that might impact the user’s trust, which is the process of generating a random password. We present three of the most commonly used algorithms and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt to specify and verify our reference implementation. In addition, we present a proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs. This demonstrates that our formally verified component can be integrated into an existing (and widely used) PM.

Publication
In International Conference on Integrated Formal Methods, 2022
Awards/Honors
Invited to ACM Formal Aspects of Computing special issue on iFM 2022
Ranking
CORE B conference
Avatar
Alexandra Mendes
Assistant Professor

My research focuses on encouraging a wider adoption of software verification by creating tools and methods that hide the complexities of verifying software. Recently, I started work on usable security, in particular on the impact of formal verification on the use and adoption of formally verified security software products. Much of my most recent work overlaps with the area of software engineering. For more details, see selected publications and some of my projects. Follow me on Twitter or add me on LinkedIn.