J. Inst. Eng. India Ser.

B
https://doi.org/10.1007/s40031-024-01144-6

ORIGINAL CONTRIBUTION

A Strong Password Manager Using Multiple Encryption

Techniques
K. Baskar1 · K. Muthumanickam2 · P. Vijayalakshmi3 ·
S. Kumarganesh4

Received: 7 February 2024 / Accepted: 29 August 2024

© The Institution of Engineers (India) 2024

Abstract Despite being frequently advised by security even password managers are susceptible to cyber-attacks if
professionals, few users still utilise password managers. they are not properly secured. Additionally, the system will
This is due to security issues including secrecy and pri- be protected with a master login to ensure only authorized
vacy, among others. Sensitive data is frequently protected users have access to stored passwords. The use of crypto-
using RSA, especially when it’s being transferred over an graphic algorithms and the master login feature will enhance
unreliable network like the internet. The most widely used the security of the system, ensuring the protection of sensi-
RSA algorithm key sizes nowadays are 2048 and 1024 bits. tive data.
The primary justification for DSA’s adaptation is that the
eavesdropper fails to discover any known security flaws. Our Keywords Confidentiality · DSA · Multiple encryption ·
objective is to develop a strong password manager using Privacy · RSA
RSA and DSA algorithms that allows users to generate and
store complex passwords securely, thereby providing an
additional layer of security against potential cyber-attacks. Introduction
The use of weak passwords and the reuse of the same pass-
word across multiple accounts have made password-based The user should remember that the passwords used to access
authentication vulnerable to hacking attempts. Password various online accounts have expanded significantly due to
managers have become a popular solution to these issues by the growth of online services. A typical user, for example,
enabling users to store their passwords securely. However, is thought to have 25 different online accounts, all of which
require passwords to manage and remember [1]. Although
* K. Baskar it is crucial for security to use different and strong secret
[email protected] passwords for your online accounts and never use the same
K. Muthumanickam one for different services, people find it difficult to remember
[email protected] so many different and complex passwords [2].
P. Vijayalakshmi Password managers offer a solution to this problem by
[email protected] allowing users to store all their passwords in one place [3].
S. Kumarganesh This reduces the risk of weak passwords, password reuse,
[email protected] and other security threats. Password managers also offer fea-
1
Department of AIDS, Kongunadu College of Engineering tures such as password generation, two-factor authentication,
and Technology, Trichy, Tamil Nadu, India and device synchronization. In this report, we’ll look at how
2
Department of IT, Kongunadu College of Engineering password managers work and their pros and cons [4]. We
and Technology, Trichy, Tamil Nadu, India also compare the most popular password managers on the
3
Department of CSE, Knowledge Institute of Technology, market and provide recommendations on how to use pass-
Salem, Tamil Nadu, India word managers effectively to ensure maximum security for
4
Department of ECE, Knowledge Institute of Technology, online accounts [5].
Salem, Tamil Nadu, India

Vol.:(0123456789)
 J. Inst. Eng. India Ser. B

Some web-based password managers may reveal personal and review capabilities. System-based password managers
information. According to David Silver, attacks against vari- are typically more secure than stand-alone password manag-
ous password managers are known, and one of the pass- ers because they provide a more integrated and centralized
word managers available today, our password manager, approach to password management.
has already exposed passwords to unauthorized persons.
Another version of software-based password managers [6].
The downside of some password managers is that they only Literature Survey
work on one computer, which is a problem. The construction
and use of our approach is presented in this study [7]. The Passwords and other sensitive data may be securely stored
advantage of using a hardware-based password manager is with TPM. Despite the fact that a lot of commercial pass-
that it can be used on many computers and various programs word managers cache passwords using TPM, they are
(games, files, folders, etc.). With this approach, we stop all unable to secure passwords during verification [11]. Pwd-
Internet-based attacks [8]. CaVe is a novel TPM-based password caching and verifica-
In 2012, LinkedIn and eHarmony were targeted and some tion technique that was presented in this work [12]. Pwd-
sensitive data was taken. In 2014, a list of 5 million cre- CaVe employs TPM for password verification in addition
dentials appeared in the Russian Bitcoin community. These to password caching. All password-related calculations in
were Gmail accounts; however, some of them were not in PwdCaVe are performed in the TPM [13]. Using a master
use or had outdated passwords [9]. However, the legitimate password or security token, password managers safeguard
accounts included several individuals belonging to such user passwords [14]. If individuals utilize weak master
illustrious organizations as PayPal, Twitter, Microsoft, Uber, passwords, it reduces their security. Because users must
BBC, Facebook, Yahoo and Google. Attacks such as key- constantly have their security token in order to log in, their
logging, Man in the Middle, Social Engineering and Side usability is poor [15]. In this research, we present a novel
channeling are all considered [10]. password management architecture with secret sharing and
user-controlled personal server that provides high security
Objective and great usability [16].
Passwords are still the de facto authentication system in
The goal of this article is to design and develop a secure use today, despite several faults in their use having been
and easy-to-use system that allows users to store and man- found [17]. While password managers can help reduce
age login information for various websites and applications. the fatigue caused by forgetting passwords, most of them
The main goal is to provide users with a reliable and efficient demand that the user select and keep a strong master pass-
solution to protect their accounts and personal data, while word, and most offer little to no help if the master pass-
simplifying the login process across multiple platforms. word is hacked. Passwords are gathered into an encrypted
By implementing strong encryption and security protocols database by the increasing usage of cloud-based password
to protect sensitive user data from potential threats such managers, which makes it a single point of failure and an
as hacking and phishing attacks, enabling various devices appealing target for hackers [18]. Password managers were
synchronization between users so that users can access the created recently by researchers [19] in an effort to address
password manager from anywhere, at any time. For added the memorability issues with authentication methods. Cre-
security, provide a password generator that generates strong, dentials were divided up into many files for storage using
unique passwords for each account. Ensuring that the system a decentralized file format architecture. The experiment’s
is scalable and capable of handling large numbers of users assessment outcome revealed a system that raised password
and data securely. Thorough testing and quality assurance to managers’ security [20, 21].
ensure system reliability and error-free operation. In order Users need to select and keep track of a large number of
to keep the system up-to-date and secure, regular software passwords since they have several accounts across various
updates and maintenance are required. services [22]. Applications called password managers handle
this issue by keeping user passwords. Due to the universal
Scope of the Work accessibility of account passwords, they are particularly
helpful on mobile devices [23]. To secure passwords from
A system-based password manager is a password manage- unwanted, off-line access, password managers frequently
ment solution that is built into your computer’s operating employ key derivation procedures to transform the master
system or network infrastructure. The user’s secure data- password into a cryptographic key appropriate for encrypt-
base, and their passwords can be accessed through a single ing the password list. Password security is therefore greatly
sign-on (SSO) system. It helps organizations meet regulatory impacted by design and implementation flaws in the key
requirements with electronic password rotation and auditing derivation mechanism [24].
J. Inst. Eng. India Ser. B

In order to investigate the differences between password Synchronization on all devices: Our password manager
users and non-users, the authors of [25] interviewed 148 pro- synchronizes user passwords on all devices, so they can
gram participants in an online survey about their experiences access their passwords from anywhere.
using password managers [26]. A high degree of security is Password generator: Our password manager has a built-
maintained even if a user chooses a human-remembered, in password generator that creates random and secure
low-random password for each account. We offer a thresh- passwords.
old- and password-based, distributed, mutually authentic key Secure Notes: In this system, secure notes such as bank
contract with a secret key validation mechanism for usage in account information or medical records can be stored in the
a smart home setting [27–29]. Confidentiality and integrity user’s vault.
have been guaranteed by a number of authentication and Emergency Access: This password manager provides
encryption techniques. A payload-based authentication tech- emergency access to your designated trusted contacts in the
nique for distributed sensors for Internet of Things applica- event of an emergency.
tions and networks was given by the authors in [30]. Multi-Factor Authentication: In this system, it supports
multi-factor authentication using many methods such as
Google Authenticator or public key.
Proposed System Activity Monitoring: In this manager, you monitor account
activity and send alerts when suspicious activity is detected.
Our password manager is a cloud-based password manager The overall working principle of the suggested technique
that securely stores your login information and personal is given in Fig. 1.
information. Its operating principles are as follows:
Account creation: The user creates an account with a mas-
ter password that is used to access the password manager Working Principle
repository.
Password storage: Our password protection manager A password manager is a software application designed to
stores user passwords in an encrypted storage on their store and manages all your passwords in one secure loca-
servers. tion. The working principles of password managers typically
Auto-Fill Login Credentials: This password manager involve the following:
automatically fills login credentials for websites and apps, Encryption of Passwords: The password manager uses
saving users time and effort. encryption to protect the passwords. The passwords are
Suggest strong passwords: Our password manager can encrypted and stored on the user’s device or on a cloud
suggest strong passwords when you create new accounts or server. The encryption method used varies depending on
change passwords. the password manager.
Two-factor authentication: Our project supports two- Automatic Password Generation: The password manager
factor authentication, which adds an extra layer of security. can generate strong passwords for the user, eliminating the

Fig. 1  Architecture of the

proposed model
 J. Inst. Eng. India Ser. B

need for the user to create and remember complex passwords Password Manager
for each account.
Auto-fill Login Credentials: The password managers can By storing your credentials in our password manager, you no
auto-fill login credentials for the user, making it easy for the longer have to remember multiple passwords or worry about
user to log in to their accounts without having to remember forgetting them. You can access your accounts quickly and
passwords. easily, without the risk of mistyping a password or using a
Syncing Across Devices: Most password managers allow weak one. It is shown in Fig. 3.
the user to sync their passwords across multiple devices, so
they can access their passwords from anywhere. Programming Interface
Overall, the working principles of password managers
aim to simplify the management of passwords and improve A programming interface for a password manager should
their security by creating and storing complex passwords, provide methods to securely store, retrieve, and update user
encrypting them, and allowing users to access them easily passwords. It should also include encryption and decryp-
and securely. tion functions to ensure the protection of sensitive informa-
tion, and a secure login mechanism to prevent unauthorized
access to the password manager. It is shown in Fig. 4.
Implementation

NetBeans is an open-source integrated development environ- Validation and Experimental Results

ment (IDE) for the Java programming language. It provides a
rich set of tools for developing and debugging Java applica- The AVISPA programme provides four alternative formal
tions, and it is highly extensible through the use of plugins. authentication methods that help to formally confirm the
security features of a protocol. We employed two separate
Login Page verification methods (on-the-fly model checker, or FModel,
and tree automata-based protocol analyzer, or TMAnalyzer)
As shown on Fig. 2, the Master Login page is default page from this tool. It utilises the modular, role-based high level
for the password manager system. This page is where you protocol specification language namely HLPSL. Correct
can securely access all of your stored passwords and manage protocol behaviour as outlined in the description is accom-
your account settings. plished with the help of HLPSL. In addition to conducting

Fig. 2  User’s login page Fig. 3  Password manager page

J. Inst. Eng. India Ser. B

Fig. 4  Programming interface screen

protocol forging and bounded session verification, EModel Figures 6 and 7’s findings demonstrate that while RSA
offers support for modelling an attacker who can launch and DSA have differing execution times, they work better
guessing assaults against weak passwords and for the defini- when combined. It is therefore better suited for real-time
tion of algebraic characteristics of ciphering operators. The applications.
TMAnalyzer, on the other hand, executes protocol validation
by resembling the eavesdropper’s knowledge to aid regular Discussions
tree languages and rewriting.
Authentication attack—A study of the security of the
Performance Investigation AVISPA tool showed that it was difficult for an attacker
to intercept authentication-based credentials and launch a
The simulation study and its impact on the recommended man-in-the-middle or replay attack. Only authorised users
authentication security approaches are presented in this sec- are allowed to handle security credentials during the overall
tion. The volume of messages sent over the network and the authentication validation process. The message’s liveness is
amount of redundant data help to calculate the communi- examined in each instance. Only each user side can encrypt
cation overhead. Assume that ‘a’ stands for the number of or decrypt a message if it is a recent copy. In order to carry
messages to be sent to a certain location, ‘b’ for the number out specific types of assaults with the goal of revealing a
of calculations needed to obtain the credentials, and ‘c’ for user credential, an attacker would have to have the necessary
the size of the message. In addition, the memory overhead security credentials, which is impossible.
is computed as ((a-b)|c|)/b for a total of a (|c|)/b messages. Replay Attack—A replay attack entails the sending a cap-
The value of a and the communication overhead have an tured message again by a listener who has obtained com-
inverse relationship. munications such as a user’s public key or user ID. How-
Figure 5 shows that the execution times for encryption ever, the huge prime number and hash function/value are
and decryption processes vary depending on the quantity of two crucial authentication factors that are included in every
the data. The least expensive execution times, for instance, message sent between any two communication participants.
were for RSA’s encryption and DSA’s decryption operations. This makes it possible to verify the veracity of each mes-
DSA had superior performance, but RSA needed more mem- sage, helping to ensure its freshness.
ory. This suggests that when applied to devices with limited Forward Secrecy—It is possible to stop an eavesdrop-
resources, security functions with various characteristics per from learning the secret credentials by using a robust
may have varying memory requirements and run times.
 J. Inst. Eng. India Ser. B

Fig. 5  Execution times for encryption and decryption

Fig. 6  Execution times for encryption and decryption

authentication and digital signature mechanism. After a Conclusion and Future Work
successful login, only one time the authentication process
takes place. The clandestine credentials, that stop an unau- The system-based password manager project provides a
thorised user from impersonating an authorised organisa- secure and efficient way to manage passwords and sensitive
tion, will therefore be impossible for an eavesdropper to data. The project includes modules for user management,
gain. password storage and retrieval, encryption and decryption,
access control, password policy enforcement, multi-factor
J. Inst. Eng. India Ser. B

Fig. 7  Execution times for encryption and decryption

authentication, audit and reporting, password sharing, pass- S. The first draft of the manuscript was written by Baskar K and all
word generation, and backup and recovery. The proposed authors commented on previous versions of the manuscript. All authors
read and approved the final manuscript
work also meets hardware and software requirements, and
undergoes functional testing to ensure its reliability and
accuracy. Because of the cloud’s scalability and quick elas-
ticity, workloads that need a huge quantity of servers never- Funding No funding received by any government or private concern
theless are only needed temporarily can be performed more
affordably. The system-based password manager project can Data availability Data sharing not applicable to this article as no
provide an effective solution for individuals and organiza- datasets were generated or analyzed during the current study
tions to enhance their data security and reduce the risk of Declarations
password-related security breaches.
Some potential future enhancements for a password Conflict of interest The authors declare that they have no competing
manager project could include Integration with additional interests
authentication methods, such as biometric authentication.
Implementation of machine learning algorithms to improve
password generation and strength analysis. Integration with References
password breach notification services to alert users when
their passwords may have been compromised. Implementa- 1. D. Florencio, C. Herley, A large-scale study of web password hab-
tion of role-based access control to provide more granular its. in Proceedings of the 16th international conference on world
wide web, 657–666 May 2007
control over user permissions. Integration with third-party
2. J. Alex Halderman, B. Waters, E.W. Felten, A convenient method
password management tools and platforms. Implementation for securely managing passwords. in Proceedings of the 14th
of cross-platform compatibility, allowing the password man- international conference on world wide web, 471–479 2005
ager to be used on a wider range of devices. Integration with 3. E.G.E. Grosse, M. Upadhyay, Authentication at Scale, in IEEE
security & privacy, vol. 11, no. 1(2013), p. 15–22
cloud-based backup and recovery solutions to provide more
4. H. Wang, Y. Guo, X. Zhao, X. Chen, Keep passwords away from
reliable and scalable backup options. memory: password caching and verification using TPM, 22nd
international conference on advanced information networking
and applications (aina 2008), Gino-wan, Japan, 755–762, 2008
Author’s Contribution All authors contributed to the study con- 5. M. Fukumitsu, S. Hasegawa, J.-Y. Iwazaki, M. Sakai, D. Taka-
ception and design. Material preparation, data collection and analysis hashi, A proposal of a password manager satisfying security and
were performed by Muthumanickam K, Vijayalakshmi P, Kumarganesh usability by using the secret sharing and a personal server, 2016
IEEE 30th international conference on advanced information
 J. Inst. Eng. India Ser. B

networking and applications (AINA), Crans-Montana, Switzer- in smart grid edge computing infrastructure. IEEE Access 8,
land, 661–668, 2016 101235–101243 (2020)
6. L. Wang, Y. Li, K. Sun, Amnesia: a bilateral generative password 22. Z. Wang, Y. Liu, Z. Ma, X. Liu, J. Ma, LiPSG: lightweight pri-
manager, 2016 IEEE 36th international conference on distributed vacy-preserving Q-learning-based energy management for the
computing systems (ICDCS), Nara, Japan, 313–322, 2016 IoT-enabled smart grid. IEEE Internet Things J. 7, 3935–3947
7. S. Agholor, A.S. Sodiya, A.T. Akinwale, O.J. Adeniran, A secured (2020)
mobile-based password manager, 2016 sixth international con- 23. A. Capossele, V. Cervo, G. De Cicco, C. Petrioli, Security as a
ference on digital information processing and communications CoAP resource: an optimized DTLS implementation for the IoT.
(ICDIPC), Beirut, Lebanon, 103–108, 2016 in Proceedings of the 2015 IEEE international conference on com-
8. D. Ziegler, M. Rauter, C. Stromberger, P. Teufl, D. Hein, Do you munications (ICC), London, UK, 549–554, 8–12 June 2015
think your passwords are secure?, 2014 international conference 24. T.A. Alghamdi, A. Lasebae, M. Aiash, Security analysis of the
on privacy and security in mobile systems (PRISMS), Aalborg, constrained application protocol in the internet of things. in Pro-
Denmark, 1–8, 2014 ceedings of the second international conference on future genera-
9. M. Fagan, Y. Albayram, M.M.H. Khan, R. Buck, An investiga- tion communication technology, London, UK, 12–14 Nov 2013
tion into users considerations towards using password managers. 25. Y. Maleh, A. Ezzati, M. Belaissaoui, An enhanced DTLS pro-
Hum.-Centric Comput. Inf. Sci. 7(12), 1–20 (2022) tocol for internet of things applications. in Proceedings of the
10. A. Huszti, S. Kovács, N. Oláh, Scalable, password-based and 2016 international conference on wireless networks and mobile
threshold authentication for smart homes. Int. J. Inf. Secur. 21, communications (WINCOM), Fez, Morocco, 168–173, 26–29 Oct
707–723 (2022) 2016
11. N. Abosat, S. Al-Rubaye, G. Inalhan, Lightweight payload encryp- 26. R. Herrero, D. Hernandez, Forward error correction in real-time
tion-based authentication scheme for advanced metering infra- internet of things CoAP-based wireless sensor networks. IET
structure sensor networks. Sensors 22(534), 1–26 (2022) Wirel. Sens. Syst. 9, 42–47 (2018)
12. A. Ghasempour, Internet of things in smart grid: architecture, 27. J. Park, N. Kang, Lightweight secure communication for CoAP-
applications, services, key technologies, and challenges. Inven- enabled internet of things using delegated DTLS handshake. in
tions 4, 22 (2019) Proceedings of the international conference on information and
13. A. Huseinovic, S. Mrdovic, K. Bicakci, S. Uludag, A survey of communication technology convergence, Busan, Korea, 28–33,
denial-of-service attacks and solutions in the smart grid. IEEE 22–24 Oct 2014
Access 8, 177447–177470 (2020) 28. R. Hummen, J.H. Ziegeldorf, H. Shafagh, S. Raza, K. Wehrle,
14. M.B.M. Noor, W.H. Hassan, Current research on internet of things Towards viable certificate-based authentication for the internet of
(IoT) security: a survey. Comput. Netw. 148, 283–294 (2019) things. in Proceedings of the 2nd ACM workshop on hot topics on
15. R. Sarenche, M. Salmasizadeh, M.H. Ameri, M.R. Aref, A secure wireless network security and privacy-HotWiSec’13, Budapest,
and privacy-preserving protocol for holding double auctions in Hungary, 37–42, 19 Apr 2013
smart grid. Inf. Sci. 557, 108–129 (2021) 29. R. Hummen, H. Shafagh, S. Raza, T. Voigt, K. Wehrle, Dele-
16. A. Khan, K. Vinod, A. Musheer, R. Saurabh, LAKAF: lightweight gation-based authentication and authorization for the IP-based
authentication and key agreement framework for smart grid net- internet of things. in Proceedings of the 11th IEEE international
work. J. Syst. Archit. 116, 102053 (2021) conference on sensing, communication, and networking, Singa-
17. H.S. Grover, D. Kumar, Cryptanalysis and improvement of a pore, 284–292, 30 June–3 July 2014
three-factor user authentication scheme for smart grid environ- 30. P.M. Kumar, U.D. Gandhi, Enhanced DTLS with CoAP-based
ment. J. Reliab. Intell. Environ. 6, 249–260 (2020) authentication scheme for the internet of things in healthcare
18. A.A. Khan, V. Kumar, M. Ahmad, S. Rana, D. Mishra, PALK: application. J. Supercomput. 76, 3963–3983 (2020)
password-based anonymous lightweight key agreement frame-
work for smart grid. Int. J. Electr. Power Energy Syst. 121, 106121 Publisher’s Note Springer Nature remains neutral with regard to
(2020) jurisdictional claims in published maps and institutional affiliations.
19. S.A. Chaudhry, Correcting PALK: password-based anonymous
lightweight key agreement framework for smart grid. Int. J. Electr. Springer Nature or its licensor (e.g. a society or other partner) holds
Power Energy Syst. 125, 106529 (2021) exclusive rights to this article under a publishing agreement with the
20. L. Deng, R. Gao, Certificateless two-party authenticated key author(s) or other rightsholder(s); author self-archiving of the accepted
agreement scheme for smart grid. Inf. Sci. 543, 143–156 (2021) manuscript version of this article is solely governed by the terms of
21. S.A. Chaudhry, H. Alhakami, A. Baz, F. Al-Turjman, Securing such publishing agreement and applicable law.
demand response management: a certificate-based access control