Password Managers: Comparative Evaluation, Design, Implementation and Empirical Analysis

Public Deposited
Resource Type
  • Passwords continue to prevail as the primary method for user authentication, despite well-known drawbacks. Password managers offer improvement without the deployment barrier of server-side changes. This thesis examines password managers to alleviate some of the deficits of password authentication, while retaining the deployability advantages of passwords.In order to provide more fine-grained comparative evaluation of password managers, we extend the Usability-Deployability-Security framework of Bonneau et. al. by adding additional evaluation properties which allow differentiation of password managers by characteristics not measured by the more general UDS.We introduce and evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas as a implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes, no master password, and protects stored passwords in the event either device is stolen.

Thesis Degree Level
Thesis Degree Name
Thesis Degree Discipline
Rights Notes
  • Copyright © 2013 the author(s). Theses may be used for non-commercial research, educational, or related academic purposes only. Such uses include personal study, research, scholarship, and teaching. Theses may only be shared by linking to Carleton University Institutional Repository and no part may be used without proper attribution to the author. No part may be used for commercial purposes directly or indirectly via a for-profit platform; no adaptation or derivative works are permitted without consent from the copyright owner.
Date Created
  • 2013


In Collection: