PALPAS - PAsswordLess PAssword Synchronization
This addresses the problem of password security and synchronization for users by providing a more secure and user-friendly alternative to existing tools, though it is incremental in improving upon current methods.
The paper tackles the security risk of centralized password synchronization tools by introducing PALPAS, a tool that generates passwords from a high-entropy secret and random salts stored on a server, eliminating the need for a central password database and reducing vulnerability to brute-force attacks.
Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.