Standardized internet password management

Background:

I am looking to drum up interest in delivering this functionality. I’m tired of doing it manually. Please comment if interested.
Some users on the Internet use the same passwords for all or a lot of their sites/services.
More security-savvy users use a password program to ‘remember’ their passwords.
These users, however, typically can not do a good job of managing passwords on an ongoing basis.
Password programs provide two functions – they ‘remember’ passwords that are fed to them, and in most cases, they ‘automatically enter’ passwords when the user wants to access the website/resource that needs the password. They also generally cause users to never change passwords.

Problem statement:
Users who manage passwords for the Internet with password programs have no good way to manage the process of creating, maintaining and updating the passwords as as to adhere to security best practices.
This includes adhering to password complexity, expiration etc.

Abstract:
I, like many of you, run software to keep track of my passwords. Most browsers and operating systems have some sort of password managers, and some of them sync to multiple devices as well.

This is great, as it solves one of the issues of maintaining good security for yourself, but it is still tedious to maintain those passwords after the fact.

I would like to propose a standard that allows password apps to better interface to the services that they have passwords for.

There *are* universal authentication methods such as OpenID, but most users still perceive these as risky, since they figure that once (if) the id is compromised, they are in big trouble. With this proposal, the master key is as secure as the current system – its stored by the user’s local password app.

Potential solution components:

OAuth2 is on its way to becoming a standard, and it allows for users to grant apps specific rights to their data/services. This happens by issuing access tokens, and is well described here

I would like to build a standard OAauth flow – a standard set of web services where an agent can check and change passwords for you. I want to be able to tell my 1Password app to go change all my old or inferior passwords to new, better, auto-generated passwords in as automated a way as is possible/secure.

If the services are done right, there should never be “incorrect login attempts” to change your password and so by limiting API use to twice or three times a day per user, I think brute force attacks can be mitigated. Ill let the security folks weigh in.

Initial draft web services/features thoughts:

Initial Setup:

  • Standardized API entry point where the apps can detect support for this set of APIs – maybe a fully qualified domain name for the site itself, prepended with the protocol. Eg: pwcp.website.company.com where pwcp may be password control protocol.
  • OAuth to get a “password management” code. This would use the usual OAuth flow.
  • Each time a password operation is to be performed, you use the Code as per OAUTH2 and retrieve a short-lived token to use for the operation.
Standardized Password Workflows:
  • Request current password age/status (Never return an actual password)
  • Change current password. (Hashed with token perhaps?)
  • Query supported password length/age/complexity for auto generated passwords
Questions:
  • What security holes exist?
  • Should we simply use the existing username/password to implement this?
Example complete flow: Setup
  1. User launches Password Management App (PMA)
  2. User selects password entry for site widgets.acme.com
  3. PMA has no stored tokens/codes for the Password Control Protocol… so:
  4. PMA reaches out and tries to connect to pwcp.widgets.acme.com – if unsuccessful gracefully ignore and abort.
  5. User is redirected, using standard OAuth2, to the website’s own authorization page to grant the app the specific right to manage passwords/recovery information.
  6. If user declines, gracefully exit.
  7. If user accepts, we are issued an access code, which is stored, hidden, in the Password app database.
  8. PMA uses OAuth to get a short-lived access token using the Code.
  9. Using the token, PMA retrieves password profile information (Complexity requirements, length, max age, expiration date) and stores all this information locally with the password itself.
  10. PMA is now able to check/warn of inferior passwords, password expiration etc.
Example complete flow: Password change
  1. User launches Password Management App (PMA)
  2. User selects password entry for site widgets.acme.com and selects “Change to new generated password”, issues the “Change all inferior passwords” etc command..
  3. PMA uses OAuth with Code to get a short-lived access token.
  4. Using the token, PMA changes password on server – submits ONLY password (Gets updated password policy back if successful)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s