In order to gain access to protected resources, users are often required to enter static passwords in order to prove their identity. Different applications, accounts or other types of protected resources associated with a given user may each require entry of a distinct alphanumeric password, thereby necessitating that the user remember multiple such passwords in order to access the corresponding resources. This is not only unduly burdensome for the user, but can also undermine security in that the user will often write down the passwords or otherwise make them vulnerable to inadvertent disclosure.
Various techniques have been developed in an attempt to alleviate this situation. For example, it is possible for a user to store multiple passwords in encrypted form in a so-called password “vault” that is protected by a master password. Password vaults are an increasingly popular tool for users to manage and protect their many passwords. Nonetheless, such arrangements can remain susceptible to attack. In the case of a password vault, compromise of the master password gives the attacker immediate access to multiple valid passwords stored in the vault. This is a real risk, as users often pick weak passwords, particularly ones, like master passwords, that they use often.
Moreover, a service provider that stores password vaults for a population of users risks en bloc compromise and cracking of these vaults, and a cascade of compromises of applications, accounts or other protected resources associated with the passwords contained in these vaults. Similar issues arise in hashed password files and other arrangements involving storage of multiple valid passwords or other types of credentials.
Conventional techniques have been unable to provide adequate protection of password vaults and other types of credential stores, particularly when the stores are held by a service provider or other similar entity on behalf of a user.
Accordingly, a need exists for techniques that can provide improved security for password vaults and other credential stores.