AutoPass: An Automatic Password Generator

Abstract: Text password has long been the dominant user authentication technique and is used by large numbers of Internet services. If they follow recommended practice, users are faced with the almost insuperable problem of generating and managing a large number of site-unique and strong (i.e. non-guessable) passwords. One way of addressing this problem is through the use of a password generator, i.e. a client-side scheme which generates (and regenerates) site-specific strong passwords on demand, with the minimum of user input. This paper provides a detailed specification and analysis of AutoPass, a password generator scheme previously outlined as part of a general analysis of such schemes. AutoPass has been designed to address issues identified in previously proposed password generators, and incorporates novel techniques to address these issues. Unlike almost all previously proposed schemes, AutoPass enables the generation of passwords that meet important real-world requirements, including forced password changes, use of pre-specified passwords, and generation of passwords meeting site-specific requirements.