Abstract

Since passwords are an unavoidable mechanism for authenticating to online services, experts often recommend using a password manager for better password security. However, adoption of password managers is low due to poor usability, the difficulty of migrating accounts to a manager, and users' sense that a manager will not add value. In this work, we present ByPass, a novel password manager that is placed between the user and the website for secure and direct communication between the manager and websites. This direct communication allows ByPass to minimize the users' actions needed to complete various password management tasks, including account registration, logins, and password changes. ByPass is designed to minimize errors and improve usability. Our goal is to create a space where security could be the users' primary task, and allow them to focus cleanly and consistently on account management tasks. The constancy of the ByPass interface is intended to allow users a greater sense of control over their passwords and accounts. By using the API to move account interactions into this space, we hope to create an interface where users knew where to address security concerns, and access the controls to address those concerns. Current password managers hint at this functionality (and include innovative tools, such as security audits) but their placement outside the authentication interaction hampers the functionality they are able to support.

We conducted a usability evaluation of ByPass and found that this approach shows promising usability, and can help users to better manage their accounts in a secure manner.

We also conducted a security analysis of ByPass and showed the security improvements that can be achieved with the support of APIs for password managers. Our study shows that many known security vulnerabilities can be eradicated from the foundation of password managers, and significant usability can be gained with the inclusion of APIs support for password managers.