This book investigates tradeoff between security and usability in designing leakage resilient
password systems (LRP) and introduces two practical LRP systems named Cover Pad and ShadowKey.
It demonstrates that existing LRP systems are subject to both brute force attacks and
statistical attacks and that these attacks cannot be effectively mitigated without sacrificing
the usability of LRP systems. Quantitative analysis proves that a secure LRP system in
practical settings imposes a considerable amount of cognitive workload unless certain secure
channels are involved. The book introduces a secure and practical LRP system named Cover Pad
for password entry on touch-screen mobile devices. Cover Pad leverages a temporary secure
channel between a user and a touch screen which can be easily realized by placing a hand
shielding gesture on the touch screen. The temporary secure channel is used to deliver a hidden
message to the user for transforming each password symbol before entering it on the touch
screen. A user study shows the impact of these testing conditions on the users' performance in
practice. Finally this book introduces a new LRP system named ShadowKey. Shadow Key is
designed to achieve better usability for leakage resilient password entry. It leverages either
a permanent secure channel which naturally exists between a user and the display unit of
certain mobile devices or a temporary secure channel which can be easily realized between a
user and a touch screen with a hand-shielding gesture. The secure channel protects the mappings
between original password symbols and associated random symbols. Unlike previous LRP system
users Shadow Key users do not need to remember anything except their passwords. Leakage
Resilient Password Systems is designed for professionals working in the security industry.
Advanced-level students studying computer science and electrical engineering will find this
brief full of useful material.
