2019 7th International Conference on Smart Computing & Communications (ICSCC)

PassMan: A New Approach of Password Generation

and Management without Storing
Jannatul Bake Billa Anika Nawar
Department of Computer Science and Engineering Department of Computer Science and Engineering
East West University East West University
Dhaka, Bangladesh Dhaka, Bangladesh
2015-2-60-013@std.ewubd.edu 2015-1-63-017@std.ewubd.edu

Md. Maruf Hasan Shakil Amit Kumar Das

Department of Computer Science and Engineering Department of Computer Science and Engineering
East West University East West University
Dhaka, Bangladesh Dhaka, Bangladesh
2015-2-60-015@std.ewubd.edu amit.csedu@gmail.com

Abstract— Password has become a critical part of one’s as the names, emails, phone numbers, encrypted and
personal, social, and professional life. We need passwords to decrypted questions and answers, dates of birth of their
secure personal information regardless of the platform. users [7][8][9][10]. As these kinds of attacks can make an
People need passwords for almost every system they use.
Secured passwords are hard to generate. It is harder to
individual vulnerable, having one password for all or even
remember and manage them. Password managers claim several systems is not a viable option.
immense importance in this circumstance, but not all the The other option is to use several secured passwords.
password managers available to use can always provide the However, for this, they may need to remember a massive
proper security for the passwords and other information number of passwords, as they are associated with many
given to them. Those are vulnerable when it comes to systems.
protecting the information from hackers. This paper
presents a proposition of a new and improved approach for
To reduce the difficulty, many turns to password
password management systems. This approach does not need management applications. Again using the apps does not
to store the password anywhere like the existing ones. It will make the worry go away. There are also some problems in
only save three parameters set by the user to identify them in existing password management systems. First, there are
the local storage of the device where they installed the two types of approaches for these applications.
system. Our hope is, the system should provide the users One is to store the generated passwords in the
with a safer feeling to use password manager systems as it
becomes more secured and non-volatile.
application-installed device. The problem of this kind of
approach is if anyone wants to change the device, s/he has
to move the data file to the new device, which lakes the
capability of password synchronization. Moreover, if a
Keywords—Password Manager, local, cloud, decoy, thief somehow steals the device there is no way to retrieve
hashing, security the passwords either. On the contrary, the other approach
is, to save the passwords in an online database. Therefore,
I. INTRODUCTION users can access and use the passwords from wherever
In modern times, people are more involved in online and whenever they want and need to. In this approach,
activity. To do so, they have to create and maintain many synchronization of the password is doable. Nevertheless,
accounts in various systems. In that case, the one thought as these types of applications store all the credentials in an
that generally comes in most people’s mind is ‘how they online database, it becomes a single point of weakness in
can create and manage secure passwords.’ There are two a strong chain of security, which can lead to another
options for creating a secure password. massive breach like Yahoo.
One is to create one secured password for all the Those are the reasons that motivated this paper. It
systems. This leads to another concern that if one site introduces a new approach to generate and manage the
somehow gets vulnerable, it will hamper the security of all password, which does not need to store the passwords in
the system that uses the same password. Yahoo hack is an any local or cloud database. The approach also uses decoy
excellent example of this type of security breach. In 2016, as the form of phrase & hint.
Yahoo reported two major data breaches. One happened The organization of the rest of the paper is as follow -
in late 2014 and announced in September 2016. This the next section generalizes the findings of several
affected over 500 million user accounts. Another breach, research papers related to our work, section 3 describes
occurring August 2013, reported in December 2016. This the working criteria and structure for the proposed
had affected over 1 billion accounts initially. In 2017, they approach, the results and discussion have been concluded
affirmed that these two breaches affected all 3 billion of in section 4, section 5 contains limitations and future
their user accounts. People consider these the most improvements for the proposed approach.
significant breaches of internet history. The hackers took
many personal details including hashed passwords as well

978-1-7281-1557-3/19/$31.00 ©2019 IEEE 2019 7th International Conference on Smart Computing & Communications

978-1-7281-1557-3/19/$31.00 ©2019 IEEE

 2019 7th International Conference on Smart Computing & Communications (ICSCC)

II. RELATED WORK remember their passwords and to link passwords with
We, to understand the password management systems their accounts easily. It also motivates safe password
and their limitations have studied several other papers. reuse, which allows users to use the same image cue for
Most of those discussed on security measurements, theft- multiple accounts [6].
resistance, attacks & defense of different password All these studying concluded that most of the existing
management system or procedures and proposed a new password managers are vulnerable when it comes to
approach. protecting the passwords. This led us to our proposed
Torstein Haugum & Lars-Christian K. Rygh stated in approach so that the user can feel safer to use password
their book chapter that they based their research on the managers.
implementation of decoys. Their theory was to prevent a III. METHODOLOGY
brute force attack, which is a highly popular method of
penetrating systems so the system can achieve a higher A. Proposed Method
level of security, without a decrease in usability. Usually, Our proposed method is to use multiple hashed
in other proposed solutions, none could prevent the brute parameters to generate a password, which the user will use
force attack but slowing it. They believed that using a as the password of the system where they want to register.
decoy would reduce the threat of brute force attack [1] [3]. However, a new problem arises; the user now needs to
In another paper, David Silver et al. studied how some remember multiple parameters for a single password. To
of the password managers leave the passwords at risk by fix this, we propose to use three parameters, and two of
using different autofill policies. An attacker then can the three parameters remain constant for all systems. For a
easily extract the password remotely by having the user new system, the user will have to change one of these
connect to a rough router at a public place. They proposed parameters. Therefore, they will not have to use all three
to strengthen the managers and implemented their parameters for all orders repeatedly.
upgrades in the Chrome browser and report on their For first-time registration/reregistration, the user will
effectiveness [2] [5] [6] [7]. need all the three parameters, but for letter use, they only
Daniel Schougaard, Nicola Dragoni, and Angelo need to remember one additional parameter for each new
Spognardi said that they analyzed comparability and system.
critical security of the different managers to understand if For further simplification, we defined the parameters as
a suitable manager already exists or if those need follows-
upgraded approaches. They based their research on cloud- We used the user name as the first and a random phrase
based password management tools by conducting a as the second fixed parameter. The random phrase can be
comparative and critical security analysis for different a quote or any alphanumerical value. We named the
options for users to find out if there exists a manager or variable parameter as “hint.” The hint can be a word,
those need upgrading [3]. number, or sentence that represents the system, for which
On their paper, Paolo Gasti and Kasper B. Rasmussen the user needs to generate the password.
analyzed the security provided by the database formats of In this way, the user does not need to remember any
some popular managers of recent time. They described complex string for the system password. Each time the
that there are two kinds of attackers. One is the passive three fixed values and the one variable value will go
attacker that aims to deduce the user information from the through as hashing function so that the hashed value will
database. Another is the active attacker that tempers with be different for each time.
the content or metadata. They highlighted the fact that Therefore, generating different passwords entirely
even an accurate implementation of AES-CBC is not depends on the hint. Each time user needs to login to a
enough to get a secured database [4] [14] [15]. system where he already used the password using this
Zhiwei Li et al. aimed to guide the design of present method, he will need to provide the hint he used earlier to
and future password managers by identifying best indicate that system and the password manager will
practices and anti-practices. They introduced some key regenerate the password for them.
concerns for web-based managers and identified four key
concerns for modern web-based password managers,
which are bookmarked vulnerabilities, “classic” web B. Working procedure of the proposed method
vulnerabilities, logic vulnerabilities, and UI After designing the full system, we tried to implement
vulnerabilities. After studying some renowned managers, it by developing the algorithm for it. For hashing part of
they concluded that they found multiple vulnerabilities of this algorithm, we used MD5 hashing. When we were
each kind [5]. performing our theory, we faced some problems. Firstly,
Elizabeth Stobert et al. had developed Versipass, which MD5 hash values usually have a length of 32 characters.
is a password manager that works with key elements of Secondly, hash values will only contain numeric 0-9
password managers and cued graphical passwords. This characters and lowercase alphabetic a-z characters. To get
helps to avoid existing problems of password a moderately sized password, we had to trim the hash
memorability, which associates passwords with accounts. value. Again we needed to add special characters (‘.’ or
It does not remember the password it remembers an image ‘@’ or ‘?’ etc.) and upper case characters as most systems
cue for graphical passwords. These cues help users to
 2019 7th International Conference on Smart Computing & Communications (ICSCC)

recommend those for a strong password. So, trimming and password and an option to copy that to the clipboard.
taking the last eleven characters of the hashed value and If the user login with the same id and provide the same
adding five special and uppercase characters to the new hint, the system will provide the same password every
trimmed password would guaranty a strong and moderate- time. Each time a certain user tries to generate a new
sized password. password for a new system the algorithm will generate a
Briefly, the working procedure of the proposed model unique one as the hint will be different for the desired
is, system. It will not matter that his username, application
1. Save the username, application password and password, and phrase will remain the same every time.
the phrase provided by the user during The user can also use the fingerprint to log in, in the
registration as the three fixed parameters same way, they unlock their phone. For that, they have to
2. Get the two fixed parameters from the device enable the fingerprint option from the menu when logged
storage in the first time using username and password or any time
3. Get the hint provided by the user, which after setting up the application. That way, a user will not
represents the system they want to generate even have to use the username and password for the
the password for and get the hash value for it system repeatedly. Those who do not have the fingerprint
4. Concated the fix parameters and get the hash security system on their phone they can use pin number
value for them instead of it.
5. Concated the hash values of the fixed values Guest users can also use the same app using the guest
and the hint and get hash value for it again option from the login page if they lost their phone or just
6. Trim and get the last 11 characters of the not have it with them at that moment. In this case, the
string found in the last stage guest user will need to provide a username, phrase, and
7. Get the final password by adding special hint. The application will not save any of this information
characters to the final string for the guest user in the local storage.
The application is storing username and phrase so that
user do not need to retype them over and over but if a user
C. User Interface of PassMan
wants they can use the guest mode as it will not store any
After developing the algorithm, we aimed to develop a of the keywords.
password manager android application named PassMan
based on our proposed method. The description of the user D. Working procedure of PassMan
interface for it is below- The working procedure of PassMan is simple.
On startup, first-time users will have a signup page to Whenever a user logs into the system, it will call the
register them using the username, application password, generatePassword function. The function will take the
and a phrase (any random word/number/anything). username & phrase from the local storage for the logged
Information will be stored in the local device storage, in user. It will then concated those two variables together
which will reduce the time needed to retype the same and will apply MD5 hashing. After the user provides the
information repeatedly. hint, it will do the same for the hint too. After that, it will
After taping register, it will redirect the users to the take the hashed hint and the hashed concated string and
login screen where they can enter username and password apply MD5 hashing again. The new-hashed string will
to log in. Upon logging in users will find a page asking for then be trimmed and taken 11 characters from it to
a hint. This is a word or phrase, which the user should generate the new pass string. It will then go through the
uniquely use for each system. addSpecial function.
An image for the code segment and a block diagram of
1. Enter UserName
Signup 2. Enter New Password generatePassword function are given below-
3. Enter Phrase
generatePassword ()
{
Register string hint;
string concated = phrase + username;
Guest Login hint_new = MD5 (hint);
concated_new = MD5 (concated);
pass = MD5 (hint_new + concated_new);
pass_new = trim (pass);
password = addSpecial (pass_new);
}
1. Enter UserName 1. Enter UserName
2. Enter New Password 2. Enter Password Fig. 2. Code segment for the generatePassword function
3. Enter Phrase 3. Enter Phrase
4. Enter Hint hint concated
generatePassword
()
MD5() MD5()
Generate Copy Password Generate Login

_
hint new concated_new

Fig. 1. Block diagram for PassMan application MD5()

After providing the hint and pressing generate, it will pass

redirect the user to a page, where the app will display the
 2019 7th International Conference on Smart Computing & Communications (ICSCC)

trim() local database and cloud for the online database.

Moreover, the platforms are W as Windows, M as Mac, L
Pass_new
as Linux, mono, A as Android and iOS.
addSpecial()

password

Fig. 3. Block diagram for the generatePassword function

TABLE I. COMPARISON BETWEEN PROPOSED
AND SOME EXISTING MODELS
The addSpecial function will force some special Password Storage Open Browser
characters into the passed string, and at last, the user will Platform
Manager Local Cloud Source Integration
get the final password for their desired system. Google
   W/M/L 
Chrome [17]
Mozilla
An image for the code segment and a block diagram for    W/M/L 
Firefox[18]
addSpecial function are given below- Internet
   W 
Explorer[19]
addSpecial () 1Passwor[20]    W/M 
{
pass = force one numeric char after length of (hint) number of char; KeePass
   W/Mono 
pass1 = force one uppercase alphabetic char after [length of (pass) % length of (hint) +2]; 2.x[21]
pass2 = force one special char after [length of (pass1) % length of (hint) +4];
pass3 = force another special char after [length of (pass2) % length of (hint) +2];
Passdrop[22]    iOS 
final_password= force one lowercase alphabetic char after [length of (pass3) % length of (hint) +6]; PINs[23]    W 
}
Password
   W/M/L 
Gorila[24]
Fig. 4. Code segment for the addSpecial function
Roboform[25]    W/M/L 
PassMan
W/A/M/
[Our    
L
Approach]
pass_new

Force numeric char

As we can see, the main benefit of PassMan is it will
Force uppercase alphabetic char not need to store the exact password anywhere, which any
existing systems did not do. PassMan would be an open
pass
pass1
source system. It will also support Windows, Android,
Mac, and Linux platform. It would also support the
Force special char browser integration after allowing.
pass3 pass2
We ran some test cases to see how the passwords
remain the same or different for changing parameters. The
Force lowercase alphabetic char
sample test cases and their outcomes are below-

final_password TABLE II. SOME SAMPLE TEST CASE FOR PASSMAN

Test Variable
Fixed Parameters
case Parameter Generated Password
Fig. 5. Block diagram for the addSpecial function number Username Phrase Hint
I am Sher Gmail
1 Sherlock ef28b77a24b5P..m
locked Account
I am Sher
The generated password is always 16 characters long 2 Sherlock
locked
Instagram m.eP.66.ba21045b5
with two special characters, an uppercase & a lowercase I am Sher
3 Sherlock Twitter 27m.6P.7d495e841
alphabetic character and a numeric character for standard locked
password verification and additional security purpose. I am Sher Facebook
4 Sherlock a5786eff3135P..m
locked Account
We also propose to use the password management 5 Moriarty miss me Mail1 .bc1m5.5P5555e8e
system as a plugin in web browsers. The plugin will pop 6 Moriarty miss me Mail2 .67cm9.eP5ba582e
up a new window similar to the guest option of the mobile 7 Moriarty miss me Twitter fam.2P.8b9653670
application where the user can generate a password. The 8 Moriarty miss me Facebook 3m.7P.259b7f5722
pop up can also be discarded if the user chooses so.
From the test case table, we can see that for every
different parameter, there is a different password. For
example, in text case no. 5 & 6, the only difference is in
the hint string (Mail1 & Mail2), but those two
IV. RESULT & DISCUSSION combinations generate two completely different password
strings. Again, in the test case no. 3 & 7, though the hint
In the result table, storage is considered as local for the string is exactly same both combinations generate two
 2019 7th International Conference on Smart Computing & Communications (ICSCC)

different passwords as those have a different user name manager based on camouflage architecture" as master's thesis at
the University of Agder, Grimstad, Norway, 2015.
and random phrase.
[2] D.Silver, S.Jana, D.Boneh, E.Chen, and C.Jackson, " Password
Therefore, we can say that there is no chance to get the Managers: Attacks and Defenses," in 23rd USENIX Security
same password for two different systems even if the Symposium, San Diego, CA, 2014.
difference in two parameters for that system is only one [3] A. K. Das, T. Adhikary, M. A. Razzaque, and C. S. Hong, “An
character. intelligent approach for virtual machine and QoS provisioning
in cloud computing,” The International Conference on
We believe that this approach will be useful to slow Information Networking 2013 (ICOIN), Bangkok, 2013, pp.
down a brute force attack greatly. Though users will have 462-467.
to remember their username, application password, the [4] D.Schougaard, N.Dragoni, and A.Spognardi, “Evaluation of
random phrase used in registration and a unique hint to Professional Cloud Password Management Tools,” in Springer
International Publishing, 2016.
represent each site, we think it is a good trade-off where [5] A. Tashnim, S. Nowshin, F. Akter, and A. K. Das, “Interactive
they will not have to remember their real and interface design for learning numeracy and calculation for
tremendously complex passwords. Moreover, they will children with autism,” 2017 9th International Conference on
Information Technology and Electrical Engineering (ICITEE),
not have to risk compromise the security by using any Phuket, 2017, pp. 1-6.
other system which will save the password in a local or [6] F. T. Zohora, M. R. R. Khan, M. F. R. Bhuiyan, and A. K. Das,
cloud database. “Enhancing the capabilities of IoT based fog and cloud
infrastructures for time-sensitive events,” 2017 International
Conference on Electrical Engineering and Computer Science
(ICECOS), Palembang, 2017, pp.224-230.
[7] A. K. Das, T. Adhikary, M. A. Razzaque, M. Alrubaian, M. M.
FUTURE WORK Hassan, Z. Uddin, and B. Song, “Big media healthcare data
processing in cloud: a collaborative resource management
perspective,” Cluster Computing, Volume 20, Issue 2, pp 1599-
For further modification, we want the system to be as 1614, June 2017.
user-friendly as possible. That is why we hope to integrate [8] P.Gasti and K.B.Rasmussen, "On The Security of Password
the system with as many web browsers or other systems as Manager Database Formats," at University of California, Irvine,
possible. We want our system to be open source so that CA, USA, 2012.
any other systems can easily get and modify it to their [9] Z.Li, W.He, D.Akhawe, and D.Song, "The Emperor’s New
Password Manager: Security Analysis of Web-based Password
likings. In that way, the users will not have to open the Managers," at the University of California, Berkeley, CA, USA,
application whenever they want to register to a new 2014.
system or sign in to a previously registered system. Their [10] E.Stobert and R.Biddle, "A Password Manager that Doesn’t
desired system will provide them the option to use Remember Passwords," in NSPW’14, Victoria, BC, Canada,
2014.
PassMan application, which they modified themselves. [11] https://en.wikipedia.org/wiki/Yahoo!_data_breaches#cite_ref-
As our application does not save any information in the nyt1_1-0 ( Accessed on 31st March 2019) .
cloud, the user will not have to worry about the safety that [12] N.Perlroth, "Yahoo Says Hackers Stole Data on 500 Million
much. They can manage their passwords with PassMan Users in 2014," The New York Times, 2016.
without worrying much. [13] V. Goel and N.Perlroth, “ "Yahoo Says 1 Billion User Accounts
Were Hacked," The New York Times, 2016.
[14] M. A. A. Mamun, J. A. Puspo, and A. K. Das, “An intelligent
smartphone-based approach using IoT for ensuring safe
driving,” 2017 International Conference on Electrical
CONCLUSION Engineering and Computer Science (ICECOS), Palembang,
2017, pp. 217-223.
[15] M. Akter, F. T. Zohra, and A. K. Das, “Q-MAC: QoS and
We have developed a new and improved system to mobility aware optimal resource allocation for dynamic
generate and manage the password. We also developed an application offloading in mobile cloud computing,” 2017
android application named PassMan based on the new International Conference on Electrical, Computer, and
Communication Engineering (ECCE), Cox’s Bazar, 2017, pp.
approach. We suggested PassMan be an open source 803-808.
system so any system can use it as they like, to make it [16] R.McMillan, R.Knutson, "Yahoo Triples Estimate of Breached
more user-friendly and suited with their need. Accounts to 3 Billion," The Wall Street Journal, 2017.
The research behind the PassMan has brought up many [17] https://www.google.com/chrome/ ( Accessed on 31st March
issues and lacking in the existing password management 2019).
[18] http://www.mozilla.org/ ( Accessed on 31st March 2019).
systems. We do not claim to solve all of those, but we
[19] http://windows.microsoft.com/enus/internetexplorer/ ( Accessed
believe PassMan can provide more security in case of on 31st March 2019).
protecting passwords than the existing ones. [20] https://agilebits.com/onepassword ( Accessed on31st March
There might be some scope for more improvement, 2019).
which we would solve in future updates. [21] http://keepass.info/ ( Accessed on 31st March 2019).
[22] http://itunes.apple.com/us/app/passdrop/id431185109?mt=8 (
Accessed on 31st March 2019).
[23] http://www.mirekw.com/winfreeware/pins.html ( Accessed on
REFERENCES 31st March 2019).
[24] http://www.fpx.de/fp/Software/Gorilla/ ( Accessed on 31st
March 2019).
[1] T.Haugum, L.K.Rygh, and V.A.Oleshchuk, "Design, [25] http://www.roboform.com/ ( Accessed on31st March 2019).
implementation, and analysis of a theft-resistant password