This paper proposes a scheme for password management by storing password encryptions on a server. The method involves having the encryption key into a share for the user and one for the server. The user’s share shall be based only on a selected passphrase. The server’s share shall be generated from the user’s allocate and the encryption key. The security and conviction are achieved by performing both encryption and decryption on the client side. We also address the issue of countering dictionary attack by providing a further enhancement of the scheme. Password is the most ordinary method for users to authenticate themselves when entering computer systems or websites. It acts as the first line of guard against unlawful access, and it is therefore critical to maintain the usefulness of this line of guard by strictly committed a good password management policy. This paper aims to grant a set of guiding principle and best practices for handling and managing passwords.

Password Encryption, Password Storage, Identity Management, Secret Sharing

[1] Florêncio, D. and Herley, C. (2007) A Large-Scale Study of Web Password Habits. Proceedings of the 16th International Conference on World Wide Web, Banff, May 2007, 657-666. http://dx.doi.org/10.1145/1242572.1242661
[2] Hayday, G. (2002) Security Nightmare: How Do You Maintain 21 Different Passwords? Silicon.com.
[3] (2016) Roboform Reference Manual. Siber Systems Inc.
[4] Zhao, R. and Yue, C. (2013) All Your Browser-Saved Passwords Could Belong to Us: A Security Analysis and Acloud-Based New Design. Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, San Antonio, February, 2013, 333-340. http://dx.doi.org/10.1145/2435349.2435397
[5] Silver, D., Jana, S., Boneh, D., Chen, E. and Jackson, C. (2014) Password Managers: Attacks and Defenses. 23rd USENIX Security Symposium (USENIX Security 14), San Diago, August 2014, 449-464.
[6] Li, Z., He, W., Akhawe, D. and Song, D. (2014) The Emperor’s New Password Manager: Security Analysis Ofweb- Based Password Managers. 23rd USENIX Security Symposium (USENIX Security 14), San Diago, August 2014, 465- 480.
[7] Haque, T., Wright, M. and Scielzo, S. (2013) A Study of User Password Strategy for Multiple Accounts. Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy, 173-176. http://dx.doi.org/10.1145/2435349.2435373
[8] Giuliani, K. and Murty, V.K. (2014) Split key Secure Access System. U.S. Patent No. 8,892,881.
[9] Kenneth Giuliani1, V. Kumar Murty1, Guangwu Xu2 Copyright © 2016 by authors and Scientific Research Publishing Inc. . http://www.scirp.org/journal/jis http://dx.doi.org/10.4236/jis.2016.73016
[10] Keyur Parmar, Devesh C. Jinwala http://file.scirp.org/pdf/JIS_2015010814240810.pdf
[11] Eman Alharbi, Noha Alsulami, http://file.scirp.org/pdf/JIS_2015031214001850.pdf
[12] Santanu Chatterjee, Sandip Roy, Ashok Kumar Das, Samiran Chattopadhyay, Neeraj Kumar, Member, IEEE, and Athanasios V. Vasilakos, Senior Member, IEEE[12]
[13] Ari Juels | Cornell Tech Thomas Ristenpart | University of Wisconsin Honey Encryption Encryption beyond the Brute-Force Barrier,
[14] Bruno Blanchet Automatically Verified Mechanized Proof of One-Encryption Key Exchange
[15] Joseph Bonneau The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes 2012 IEEE Symposium on Security and Privacy