Password synchronization between devices is typically based on storing the encrypted passwords on a central server. Such a server may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack.
PALPAS is a novel password tool that creates strong, service-specific passwords and synchronizes them between your devices via a central synchronization server. However, PALPAS does not store or use any passwords on the synchronization server and is therefore not vulnerable to phishing attacks or security breaches.
PALPAS creates a strong password for each service that automatically complies with the password requirements of the service.
PALPAS synchronizes all your passwords between your devices but does not store a single password on the synchronization server.
The PALPAS synchronization server uses public-key cryptography instead of username and password to authenticate users.
The central idea of PALPAS is to generate a password from a high entropy secret which is shared by all user devices and a random salt value for each service. PALPAS only stores the salt values on the synchronization server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order to generate passwords in accordance with the different password requirements of the services, PALPAS uses password policies. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.
A detailed research paper presenting PALPAS is available at arXiv.
The sources of PALPAS are available soon.
THIS IS EXPERIMENTAL SOFTWARE. USE AT YOUR OWN RISK.
Use PALPAS on your Windows, Linux, or Mac.
Use PALPAS on your Android phone.
Run your own PALPAS server or use ours.
Technische Universität Darmstadt