Mercury: Recovering Forgotten Passwords Using Personal Devices

  • Mohammad Mannan
  • David Barrera
  • Carson D. Brown
  • David Lie
  • Paul C. van Oorschot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7035)


Instead of allowing the recovery of original passwords, forgotten passwords are often reset using online mechanisms such as password verification questions (PVQ methods) and password reset links in email. These mechanisms are generally weak, exploitable, and force users to choose new passwords. Emailing the original password exposes the password to third parties. To address these issues, and to allow forgotten passwords to be securely restored, we present a scheme called Mercury. Its primary mode employs user-level public keys and a personal mobile device (PMD) such as a smart-phone, netbook, or tablet. A user generates a key pair on her PMD; the private key remains on the PMD and the public key is shared with different sites (e.g., during account setup). For password recovery, the site sends the (public key)-encrypted password to the user’s pre-registered email address, or displays the encrypted password on a webpage, e.g., as a barcode. The encrypted password is then decrypted using the PMD and revealed to the user. A prototype implementation of Mercury is available as an Android application.


Android Application Personal Device Account Creation USENIX Security Symposium Password Manager 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahmad, D.: The confused deputy and the domain hijacker. IEEE Security an Privacy 6(1) (2008)Google Scholar
  2. 2.
    Android Open Source Project. Data storage (android developers),
  3. 3. Obama Twitter account hacked by Frenchman(March 24, 2010),
  4. 4.
    Bonneau, J., Preibusch, S.: The password thicket: Technical and market failures in human authentication on the web. In: Workshop on the Economics of Information Security (WEIS 2010), Cambridge, MA, USA (June 2010)Google Scholar
  5. 5.
    Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Conference on Mobile Computing, Applications, and Services (MobiCASE 2010), Santa Clara, CA, USA (October 2010)Google Scholar
  6. 6.
    Ellison, C.M., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. Future Generation Computer Systems 16(4) (February 2000)Google Scholar
  7. 7.
    Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? In: USENIX Workshop on Hot Topics in Security (HotSec 2007), Boston, MA, USA (August 2007)Google Scholar
  8. 8.
    Garfinkel, S.: Email-based identification and authentication: An alternative to PKI? IEEE Security and Privacy 1(6) (2004)Google Scholar
  9. 9. Gmail ups security after Chinese attack. News article (January 13, 2010),
  10. 10.
    Jakobsson, M., Stolterman, E., Wetzel, S., Yang, L.: Love and authentication. In: Conference on Human Factors in Computing Systems (CHI 2008), Florence, Italy (April 2008)Google Scholar
  11. 11.
    Jonsson, J., Kaliski, B.: Public-key cryptography standards (PKCS) #1: RSA cryptography specifications version 2.1. RFC 3447, Category: Informational (February 2003)Google Scholar
  12. 12.
    Lopez, J., Oppliger, R., Pernul, G.: Why have public key infrastructures failed so far. Internet Research 15(5) (2005)Google Scholar
  13. 13.
    Mannan, M., van Oorschot, P.: Digital objects as passwords. In: USENIX Workshop on Hot Topics in Security (HotSec 2008), San Jose, CA, USA (July 2008)Google Scholar
  14. 14.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentiction. Security and Networks 4(1–2) (2009)Google Scholar
  15. 15.
    Mitnick, K., Simon, W.L.: The Art of Deception. Wiley (2002)Google Scholar
  16. 16.
    Rabkin, A.: Personal knowledge questions for fallback authentication. In: Symposium on Usable Privacy and Security (SOUPS 2008), Pittsburgh, USA (July 2008)Google Scholar
  17. 17.
    Renaud, K., Just, M.: Pictures or questions? Examining user responses to association-based authentication. In: British HCI Conference, Dundee, Scotland (September 2010)Google Scholar
  18. 18.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium, Baltimore, MD, USA (2005)Google Scholar
  19. 19.
    Schechter, S., Brush, A.J.B., Egelman, S.: It’s no secret. Measuring the security and reliability of authentication via ‘secret’ questions. In: IEEE Symposium on Security and Privacy (May 2009)Google Scholar
  20. 20.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover. In: ACM Computer and Communications Security (CCS 2009), Chicago, IL, USA (November 2009)Google Scholar
  21. 21. Reused login credentials. Security advisory (February 2, 2010),
  22. 22.
    Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In: USENIX Security Symposium, Washington, D.C, USA (1999)Google Scholar
  23. 23. Palin e-mail hacker says it was easy (September18, 2008),
  24. 24.
    Zhang, Y., Monrose, F., Reiter, M.: The security of modern password expiration: An algorithmic framework and empirical analysis. In: ACM Computer and Communications Security (CCS 2010), Chicago, IL, USA (October 2010)Google Scholar
  25. 25.
    Zviran, M., Haga, W.J.: Cognitive passwords: The key to easy access control. Computers & Security 9(8) (1990)Google Scholar
  26. 26.
    Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Computer Journal 36(3) (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Mohammad Mannan
    • 1
  • David Barrera
    • 2
  • Carson D. Brown
    • 2
  • David Lie
    • 1
  • Paul C. van Oorschot
    • 2
  1. 1.Dept. of Electrical and Computer EngineeringUniversity of TorontoTorontoCanada
  2. 2.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations