PassCert Project

Example Event

Sat, 01 Jun 2030 13:00:00 +0000

Slides can be added in a few ways:

Create slides using Wowchemy’s Slides feature and link using slides parameter in the front matter of the talk file
Upload an existing slide deck to static/ and link using url_slides parameter in the front matter of the talk file
Embed your slides (e.g. Google Slides) or presentation video on this page using shortcodes.

Further event details, including page elements such as image galleries, can be added to the body of this page.

bGSL: An Imperative Language for Specification and Refinement of Backtracking Programs

Mon, 01 Aug 2022 10:35:12 +0100

A wp Calculus for a Preferential Computations: Mechanisation in Isabelle/HOL (Technical report)

Persistence of Passwords in Bitwarden's Browser Extension: Unnecessary Retention and Solutions

Thu, 30 Jun 2022 00:00:00 +0000

PassCert presentations at iFM 2022

Tue, 07 Jun 2022 17:48:18 +0000

Members of the PassCert research team attended iFM 2022, the 17th International Conference on integrated Formal Methods.

The two papers presented were:

Studying Users' Willingness to Use a Formally Verified Password Manager, Carolina Carreira (presented at the PhD Symposium)
Verified Password Generation from Password Composition Policies, Miguel Grilo, João Campos, João F. Ferreira, José Bacelar Almeida and Alexandra Mendes

Studying Users' Willingness to Use a Formally Verified Password Manager

Sat, 07 May 2022 00:00:00 +0000

Verified password generation from password composition policies

Sat, 07 May 2022 00:00:00 +0000

Implementação Certificada da Componente Criptográfica do Gestor de Passwords KeePass

Sat, 30 Apr 2022 00:00:00 +0000

SmartPasswords extension accepted by Bitwarden team

Thu, 25 Nov 2021 17:48:18 +0000

Our SmartPasswords extension was accepted by the Bitwarden team! The feature will be merged into the product after a process of code review, benefitting millions of users.

The new feature Smart Passwords, developed in the context of João Campos’s MSc thesis, reads the field passwordrules in an input form. This field contains the password policies specified by the website, making it easier for the generator to generate compliant passwords.

To specify the policy annotations (i.e., password rules), the extension uses a language developed by Apple. It also uses a new npm package developed by our team, based on Apple’s own parser and adapted to Typescript (@passcert/pwrules-annotations).

For example, the specification

passwordrules="required: upper; required: lower; required:digit; required: special; minlength: 10;"

specifies a password that must have at least 10 characters, and at least one lowercase letter, one uppercase letter, one digit, and one symbol. Since all character classes are required, the checkboxes are disabled and the minimum number of digits and symbols is also disabled because changing these values would generate a password that would be uncompliant. The minimum length of the password is also capped at 10.

Verified Password Generation from Password Composition Policies, Miguel Grilo, João Campos, João F. Ferreira, José Bacelar Almeida and Alexandra Mendes
SmartPasswords: Increasing Password Managers' Usability by Generating Compliant Passwords, João Campos’s MSc thesis

Exploring Usable Security to Improve the Impact of Formal Verification: A Research Agenda

Tue, 23 Nov 2021 00:00:00 +0000

Formal Verification of Password Generation Algorithms used in Password Managers

Thu, 18 Nov 2021 00:00:00 +0000

On Usable Security and Verified Password Managers

Thu, 18 Nov 2021 00:00:00 +0000

SmartPasswords: Increasing Password Managers' Usability by Generating Compliant Passwords

Thu, 18 Nov 2021 00:00:00 +0000

Automatic Repair of Java Code with Timing Side-Channel Vulnerabilities

Wed, 10 Nov 2021 00:00:00 +0000

Towards Improving the Usability of Password Managers

Fri, 10 Sep 2021 00:00:00 +0000

PassCert presentations at INFORUM 2021

Thu, 09 Sep 2021 17:48:18 +0000

Members of the PassCert research team attended INFORUM 2021, the Portuguese Informatics Symposium, and presented work in progress.

The three talks presented were:

Towards Improving the Usability of Password Managers, Carolina Carreira, João F. Ferreira and Alexandra Mendes
Towards Formal Verification of Password Generation Algorithms used in Password Managers, Miguel Grilo, João F. Ferreira and José Bacelar Almeida
Certification of a Password Manager’s Cryptographic Component, Pedro Freitas

Photos

Carolina Carreira

Miguel Grilo

Pedro Freitas

Research Assistant / PhD Position available

Sat, 13 Feb 2021 17:48:18 +0000

We have an open research assistant / Ph.D. student position in the PassCert project! The focus is on the application of formal methods to password security. The successful candidate will work from INESC-ID in beautiful Lisbon, Portugal and collaborate closely with the PassCert team. We are open to discuss the possibility of remote working.

The deadline for application is 12 March 2021. More details

STARTING DATE: March 2021
DURATION: 6 months, extendable (the funding is guaranteed for the first year)
LOCATION: Lisbon, Portugal (possibly remote)
QUALIFICATIONS: Applicants must hold a Master’s degree in Computer Science and Engineering or related fields
APPLICATION DEADLINE: 12 March 2021

The selected candidate will:

Contribute to the collection of functional and security requirements for the proof-of-concept password manager and to the identification of properties that will be formally verified.
Formally verify properties relevant to password managers (e.g. properties on generation of secure passwords and properties related to data location).
Contribute to the development of the proof-of-concept verified password manager.
Actively participate in and contribute to PassCert’s activities and regular meetings.

Full details, including applicable legislation and application procedures are all available in the public notice: http://www.eracareers.pt/opportunities/index.aspx?task=global&jobId=131478

If you have any questions, feel free to get in touch with João F. Ferreira.

About Instituto Superior Técnico - University of Lisbon / INESC-ID

Instituto Superior Técnico (IST) is part of the University of Lisbon and is the leading school of engineering in Portugal and among the ARWU top-20 engineering schools in all of Europe. The school aims to contribute to the development of society, promoting excellence in higher education, in the fields of Architecture, Engineering, Science, and Technology by promoting Research, Development, and Innovation activities.

INESC-ID is an R&D institute dedicated to advanced research and development in the fields of Information Technologies, Electronics, Communications, and Energy, privately owned by IST and INESC. Working in close collaboration with faculty from IST, INESC-ID is the main research center for combined Computer Science and Engineering (CSE) and Electrical and Computer Engineering (ECE) in Portugal.

Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements

Fri, 01 May 2020 00:00:00 +0000

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Sat, 01 Feb 2020 00:00:00 +0000

Evaluating the Accuracy of Password Strength Meters using Off-The-Shelf Guessing Attacks

Wed, 01 Jan 2020 00:00:00 +0000

Why people (don’t) use password managers effectively

Wed, 01 May 2019 00:00:00 +0000

PassCert﹕Exploring the Impact of Formal Verification on the Adoption of Password Security Software

Thu, 28 Jun 2018 00:00:00 +0000

With the explosive growth of our data economy, the quantity of personal data and other valuable assets available online has increased massively. At the same time, despite years of searching for viable alternatives, text passwords remain the dominant access control mechanism to access that data and those assets.

Users’ attitudes towards passwords can thus put at risk the security of our data economy. For example, users have shown that they tend to choose weak passwords that are easy to guess by password cracking software. Moreover, many users reuse the same password across different systems, which can have serious consequences for users and organizations affected by data breaches. In the last few years, breaches at organizations like Yahoo!, Dropbox, Lastpass, LinkedIn, and eBay have exposed over a billion user passwords to attackers.

To address this problem, security experts recommend the use of password managers (PMs) that combine secure password storage and retrieval with random password generation. These tools can improve account security by enabling the use of strong and unique passwords, simultaneously improving the usability and convenience of text password authentication. However, despite its critical importance, the adoption of PMs is still low. Reasons for this include distrust on the storage mechanisms and on the quality of generated passwords.

PassCert’s short-term vision is to build an open-source, proof-of-concept PM that through the use of formal verification, is guaranteed to satisfy properties on data storage and password generation. The goal is to help non-expert users to use stronger passwords without sacrificing convenience, whilst conveying the formal guarantees in an effective way. We aim to determine whether formal verification can increase users’ confidence in PMs and thus increase their adoption. The proof-of-concept PM will result from a close collaboration between researchers from INESC-ID Lisboa, INESC TEC, and The Carnegie Mellon CyLab Security and Privacy Institute.

Contacts

Principal Investigator in Portugal: João F. Ferreira

Principal Investigator at CMU: Nicolas Christin

Meet the Team

Participant institutions:

Funding

PassCert is a CMU Portugal Exploratory Research Project that is funded by the Fundação para a Ciência e a Tecnologia (FCT).

Mon, 01 Jan 0001 00:00:00 +0000

PassCert Project

Example Event

bGSL: An Imperative Language for Specification and Refinement of Backtracking Programs

Related

Persistence of Passwords in Bitwarden's Browser Extension: Unnecessary Retention and Solutions

PassCert presentations at iFM 2022

Studying Users' Willingness to Use a Formally Verified Password Manager

Verified password generation from password composition policies

Implementação Certificada da Componente Criptográfica do Gestor de Passwords KeePass

SmartPasswords extension accepted by Bitwarden team

Related publications

Exploring Usable Security to Improve the Impact of Formal Verification: A Research Agenda

Formal Verification of Password Generation Algorithms used in Password Managers

On Usable Security and Verified Password Managers

SmartPasswords: Increasing Password Managers' Usability by Generating Compliant Passwords

Automatic Repair of Java Code with Timing Side-Channel Vulnerabilities

Towards Improving the Usability of Password Managers

PassCert presentations at INFORUM 2021

Photos

Research Assistant / PhD Position available

About Instituto Superior Técnico - University of Lisbon / INESC-ID

Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Evaluating the Accuracy of Password Strength Meters using Off-The-Shelf Guessing Attacks

Why people (don’t) use password managers effectively

PassCert﹕Exploring the Impact of Formal Verification on the Adoption of Password Security Software

Contacts

Funding