Nowadays people use a variety of services available on the Internet ranging from community services like Facebook, Twitter and MySpace to business services such as Amazon, eBay and banking services. Each of these services generally require a user to prove their identity before accessing a Web site associated with the service; the most common way to validate a user's identity is to require a user name/password-based authentication. As more and more services become available on the Internet, and as more and more businesses require a Web-based interaction in order for a user to conduct business, users are required to memorize a greater number of passwords for all these services. And, users are generally advised to create a strong, hard-to-guess password for a banking Web site, while being allowed to generate weaker, easier-to-guess passwords for Web sites that do not hold financial or confidential user information. In order to assist users to remember each of the many passwords, there are a number of common strategies that are used.
The “one-password-for-all-services approach” means exactly that. Many users prefer using an identical user name/password pair for all the Internet services they access. The advantage of using the same password for all services is convenience, while the disadvantage is that if the password becomes known by others, a malicious agent can make use of a stolen password to log on to any Internet service on behalf of the victim and steal money or information. Another difficulty with this approach is that some Internet service providers set rules governing which passwords are acceptable. For example, some services may require users to have passwords that are longer than a designated amount of characters, some require users to include at least one digit, at least one letter, at least one other character, etc., some services restrict certain characters, and others require capital letters. So, it is generally not feasible to use the same password for all Internet services unless the password can meet the rules set by all Internet service providers used—a rare situation.
Another approach is the “write-it-down” approach, an old-fashioned approach. This is a time-honored way to help people remember something worth remembering. The user simply writes down each password associated with each Internet service and keeps this sheet of paper in a secure place (or not). This approach will not be secure if the sheet is not hidden well, is left out in the open, or is a stolen. Another risk is that if the sheet is lost (or taken) the user may not be able to log on to many Internet services because they will not remember the correct password.
The “remember-my-password” approach involves using a computer to assist. Some Internet browsers provide a function for storing a user's credentials (such as the password) in the computer. Once the user is successful at logging on to a Web site, the browser may offer to store the user's password in the browser. The next time the user would like to log on to that Web site, the browser automatically enters the stored password into the password input box on the Web page. The drawback to this approach is that if anyone else is using this computer, a malicious user can log on to any Internet service for which the password has been stored in the browser. Or, it may be possible for a sophisticated hacker to remotely retrieve any passwords stored in this fashion.
Because users are increasingly being required to provide many different passwords, and in light of the above disadvantages with the current techniques, a password management technique is desired that would not only provide for secure passwords, but also would allow a user to easily remember them without risking their loss.