Password Managers: Comparative Evaluation, Design, Implementation and Empirical Analysis

Passwords continue to prevail as the primary method for user authentication, despite well-known drawbacks. Password managers offer improvement without the deployment barrier of server-side changes. This thesis examines password managers to alleviate some of the deficits of password authentication, while retaining the deployability advantages of passwords.In order to provide more fine-grained comparative evaluation of password managers, we extend the Usability-Deployability-Security framework of Bonneau et. al. by adding additional evaluation properties which allow differentiation of password managers by characteristics not measured by the more general UDS.We introduce and evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas as a implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes, no master password, and protects stored passwords in the event either device is stolen.