SplitPass: A Mutually Distrusting Two-Party Password Manager

Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.