Skip to main content
SpringerLink
Log in

Mercury: Recovering Forgotten Passwords Using Personal Devices

  • Conference paper
Financial Cryptography and Data Security (FC 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7035))

Included in the following conference series:

Abstract

Instead of allowing the recovery of original passwords, forgotten passwords are often reset using online mechanisms such as password verification questions (PVQ methods) and password reset links in email. These mechanisms are generally weak, exploitable, and force users to choose new passwords. Emailing the original password exposes the password to third parties. To address these issues, and to allow forgotten passwords to be securely restored, we present a scheme called Mercury. Its primary mode employs user-level public keys and a personal mobile device (PMD) such as a smart-phone, netbook, or tablet. A user generates a key pair on her PMD; the private key remains on the PMD and the public key is shared with different sites (e.g., during account setup). For password recovery, the site sends the (public key)-encrypted password to the user’s pre-registered email address, or displays the encrypted password on a webpage, e.g., as a barcode. The encrypted password is then decrypted using the PMD and revealed to the user. A prototype implementation of Mercury is available as an Android application.

Version: November 18, 2011. Post-proceedings of Financial Cryptography and Data Security 2011.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ahmad, D.: The confused deputy and the domain hijacker. IEEE Security an Privacy 6(1) (2008)

    Google Scholar 

  2. Android Open Source Project. Data storage (android developers), http://developer.android.com/guide/topics/data/data-storage.html

  3. BBCNews.com. Obama Twitter account hacked by Frenchman(March 24, 2010), http://news.bbc.co.uk/2/hi/8586269.stm

  4. Bonneau, J., Preibusch, S.: The password thicket: Technical and market failures in human authentication on the web. In: Workshop on the Economics of Information Security (WEIS 2010), Cambridge, MA, USA (June 2010)

    Google Scholar 

  5. Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Conference on Mobile Computing, Applications, and Services (MobiCASE 2010), Santa Clara, CA, USA (October 2010)

    Google Scholar 

  6. Ellison, C.M., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. Future Generation Computer Systems 16(4) (February 2000)

    Google Scholar 

  7. Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? In: USENIX Workshop on Hot Topics in Security (HotSec 2007), Boston, MA, USA (August 2007)

    Google Scholar 

  8. Garfinkel, S.: Email-based identification and authentication: An alternative to PKI? IEEE Security and Privacy 1(6) (2004)

    Google Scholar 

  9. Guardian.co.uk. Gmail ups security after Chinese attack. News article (January 13, 2010), http://www.guardian.co.uk/technology/2010/jan/13/gmail-increases-security-chinese-attack

  10. Jakobsson, M., Stolterman, E., Wetzel, S., Yang, L.: Love and authentication. In: Conference on Human Factors in Computing Systems (CHI 2008), Florence, Italy (April 2008)

    Google Scholar 

  11. Jonsson, J., Kaliski, B.: Public-key cryptography standards (PKCS) #1: RSA cryptography specifications version 2.1. RFC 3447, Category: Informational (February 2003)

    Google Scholar 

  12. Lopez, J., Oppliger, R., Pernul, G.: Why have public key infrastructures failed so far. Internet Research 15(5) (2005)

    Google Scholar 

  13. Mannan, M., van Oorschot, P.: Digital objects as passwords. In: USENIX Workshop on Hot Topics in Security (HotSec 2008), San Jose, CA, USA (July 2008)

    Google Scholar 

  14. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentiction. Security and Networks 4(1–2) (2009)

    Google Scholar 

  15. Mitnick, K., Simon, W.L.: The Art of Deception. Wiley (2002)

    Google Scholar 

  16. Rabkin, A.: Personal knowledge questions for fallback authentication. In: Symposium on Usable Privacy and Security (SOUPS 2008), Pittsburgh, USA (July 2008)

    Google Scholar 

  17. Renaud, K., Just, M.: Pictures or questions? Examining user responses to association-based authentication. In: British HCI Conference, Dundee, Scotland (September 2010)

    Google Scholar 

  18. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium, Baltimore, MD, USA (2005)

    Google Scholar 

  19. Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret. Measuring the security and reliability of authentication via ‘secret’ questions. In: IEEE Symposium on Security and Privacy (May 2009)

    Google Scholar 

  20. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover. In: ACM Computer and Communications Security (CCS 2009), Chicago, IL, USA (November 2009)

    Google Scholar 

  21. Trusteer.com. Reused login credentials. Security advisory (February 2, 2010), http://www.trusteer.com/sites/default/files/cross-logins-advisory.pdf

  22. Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: USENIX Security Symposium, Washington, D.C, USA (1999)

    Google Scholar 

  23. Wired.com. Palin e-mail hacker says it was easy (September18, 2008), http://www.wired.com/threatlevel/2008/09/palin-e-mail-ha/

  24. Zhang, Y., Monrose, F., Reiter, M.: The security of modern password expiration: An algorithmic framework and empirical analysis. In: ACM Computer and Communications Security (CCS 2010), Chicago, IL, USA (October 2010)

    Google Scholar 

  25. Zviran, M., Haga, W.J.: Cognitive passwords: The key to easy access control. Computers & Security 9(8) (1990)

    Google Scholar 

  26. Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Computer Journal 36(3) (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Electrical and Computer Engineering, University of Toronto, Toronto, Canada

    Mohammad Mannan & David Lie

  2. School of Computer Science, Carleton University, Ottawa, Canada

    David Barrera, Carson D. Brown & Paul C. van Oorschot

Authors
  1. Mohammad Mannan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Barrera
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carson D. Brown
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. David Lie
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Paul C. van Oorschot
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

George Danezis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mannan, M., Barrera, D., Brown, C.D., Lie, D., van Oorschot, P.C. (2012). Mercury: Recovering Forgotten Passwords Using Personal Devices. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27576-0_26

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27575-3

  • Online ISBN: 978-3-642-27576-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation