On the Guessability of Master Passwords


Betreuer: Markus Dürmuth, Maximilian Golla

Beginn: Anytime

Dauer: 6 Months

Weitere Details:


Passwords are the standard for online user authentication, despite substantial drawbacks in terms of memorability and security. The use of a password vault (also called password manager) can relieve a user from the burden of memorizing a large number of secure passwords. Password vaults store passwords in an encrypted container, where the encryption key is derived from a master password using a key derivation function (KDF).

An attacker can try to recover the missing master password, once the encrypted vault has been stolen. The number of password guesses an attacker can try is almost unbounded, only limited by the computational resources at disposal. However, no data is publicly available describing how users choose their master passwords. The claim that passwords are quickly guessed is unsubstantiated for master passwords. One of the key ideas behind a master password is that because users only need to select and remember a single password that they will choose a very strong password. This idea hasn't been verified, but neither has it been refuted.

By designing, developing, and conducting a user study we try to examine the security of master passwords. It should be analyzed how secure master passwords are by measures like Partial Guessing Entropy (alpha-guesswork) and simulated offline guessing attacks. Further aspects that could be investigated include differences in the use of various device classes (e.g., desktop computer and smartphone) and by this password-entry methods (e.g., keyboard layouts, text replacement, word completion, and spell check). Finally, self-reported user sentiment, as well as observed behavior (e.g., entry time), could be analyzed.

We are especially interested whether there is a connection between user chosen master passwords and regular passwords. By applying the methodologies from the lecture on "Usable Security and Privacy" and "Methods of User Authentication" this is a unique opportunity to get in touch with current research.


Good programming skills, especially in Web development are required; knowledge of user authentication and a background in usable security is a plus; experience in using mobile Web app frameworks (Ionic and AngularJS) is preferable.