Mercury: recovering forgotten passwords using personal devices

Authors:
Mohammad Mannan;David Barrera;Carson D. Brown;David Lie;Paul C. van Oorschot
Affiliations:
Dept. of Electrical and Computer Engineering, University of Toronto, Toronto, Canada;School of Computer Science, Carleton University, Ottawa, Canada;School of Computer Science, Carleton University, Ottawa, Canada;Dept. of Electrical and Computer Engineering, University of Toronto, Toronto, Canada;School of Computer Science, Carleton University, Ottawa, Canada
Venue:
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Year:
2011

Citing 15
Cited 0

Cognitive passwords: the key to easy access control

Computers and Security
Protecting secret keys with personal entropy

Future Generation Computer Systems - Special issue on security on the Web
Stronger password authentication using browser extensions

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Why Johnny can't encrypt: a usability evaluation of PGP 5.0

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Confused Deputy and the Domain Hijacker

IEEE Security and Privacy
Love and authentication

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do strong web passwords accomplish anything?

HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Personal knowledge questions for fallback authentication: security questions in the era of Facebook

Proceedings of the 4th symposium on Usable privacy and security
Email-Based Identification and Authentication: An Alternative to PKI?

IEEE Security and Privacy
Digital objects as passwords

HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Seeing-Is-Believing: using camera phones for human-verifiable authentication

International Journal of Security and Networks
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
The security of modern password expiration: an algorithmic framework and empirical analysis

Proceedings of the 17th ACM conference on Computer and communications security
Pictures or questions?: examining user responses to association-based authentication

BCS '10 Proceedings of the 24th BCS Interaction Specialist Group Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Instead of allowing the recovery of original passwords, forgotten passwords are often reset using online mechanisms such as password verification questions (PVQ methods) and password reset links in email. These mechanisms are generally weak, exploitable, and force users to choose new passwords. Emailing the original password exposes the password to third parties. To address these issues, and to allow forgotten passwords to be securely restored, we present a scheme called Mercury. Its primary mode employs user-level public keys and a personal mobile device (PMD) such as a smart-phone, netbook, or tablet. A user generates a key pair on her PMD; the private key remains on the PMD and the public key is shared with different sites (e.g., during account setup). For password recovery, the site sends the (public key)-encrypted password to the user's pre-registered email address, or displays the encrypted password on a webpage, e.g., as a barcode. The encrypted password is then decrypted using the PMD and revealed to the user. A prototype implementation of Mercury is available as an Android application.