Building a New Password Generator

Starting Date: June 2017
Duration: 3 months
Time commitment: 20 hours / week
Prerequisites: 2nd year, IY2760 and knowledge of (or willingness to learn) JavaScript

Password generators are client-based systems which automatically generate passwords for user authentication to websites.  They are analogous to password managers, except that the passwords are never actually stored anywhere.  A number of proposals for such schemes exist – perhaps the best known is called PwdHash (see https://www.pwdhash.com/).  Some of these schemes have been implemented – including PwdHash.

In a recent paper written by Fatma Al Maqbali (a research student of mine) and myself – see http://www.chrismitchell.net/Papers/pgoian.pdf and http://arxiv.org/abs/1607.04421 – we gave the first general model for such schemes, and reconsidered the existing proposals in the light of this model.  We also identified a number of features that would be desirable in a password generator, and which are absent from all previously proposed schemes.  This led us to outline the design of a new password generator scheme we call AutoPass (this outline is given in the paper mentioned above).

Since the above-mentioned paper was completed and published (in the second half of 2016), we have continued to work on the design of AutoPass, and we now have a complete specification.  A copy of this specification, which is as yet unpublished, can be provided on request (email me on me@chrismitchell.net – use this email address for any other questions).  The next step in the ongoing research is clearly to build a prototype of the system, the main component of which is anticipated to be a JavaScript browser plugin; hence this project proposal.

Obviously an interest in security and the relevant programming skills are prerequisites, but expertise in cryptography or other security algorithms is not necessary.  Any implementations of algorithms can either be borrowed from publicly available libraries or simply replaced with shims (since the use of cryptography is straightforward).

It is intended that once the implementation is working it can be used for practical trials (to be led by Fatma Al Maqbali), and I would anticipate a paper being submitted for publication based on the implementation and subsequent trials; the author of the code would be a co-author of this paper.