We are asked to remember far too many passwords. This problem is most acute on the web. And thus, unsurprisingly, it is on the web that technical solutions have had most success in replacing users’ ad hoc coping strategies. One of the longest established and most widely adopted technical solutions is a password manager: software that remembers passwords and submits them on the user’s behalf. But this isn’t as straightforward as it sounds. In our recent work on bootstrapping adoption of the Pico system , we’ve come to appreciate just how hard life is for developers and maintainers of password managers.
In a paper we are about to present at the Passwords 2014 conference in Trondheim, we introduce our proposal for Password Manager Friendly (PMF) semantics . PMF semantics are designed to give developers and maintainers of password managers a bit of a break and, more importantly, to improve the user experience.
What’s the problem?
Ignoring issues of style and presentation, password-based authentication on the web is a fairly consistent process. To log in, users first find the login form, enter their username and password, and then press return or click the submit button. And, to a first approximation, the behaviour of the browser and the website is consistent as well: the username and password are sent to the server in an HTTPS POST request and a session cookie is returned. However, when we look in more detail, we see a huge range of variations, some subtle and some baffling. Despite being imperceptible to end users, such variations often require password managers to implement complex heuristics, for example, to identify the correct form to submit or to fill in the correct field within that form.
The heuristics used by password managers are inherently brittle. And when they fail it is the poor user that has to pick up the pieces. In the example shown below the user is prompted to remember an incorrect username and password for their Facebook account. That’s just plain annoying.
What to do?
To reduce password managers’ dependencies on fragile heuristics, we propose adding “password-manager friendly” (PMF) semantic markup to HTML forms to create, access and manage user accounts. The PMF markup is designed to simplify the following tasks:
- Finding forms and determining their purpose (login, registration, and so on),
- finding the important inputs within the forms,
- parsing password policies and generating valid new passwords, and
- detecting errors.
In PMF we use semantic class names to label forms and input elements; this is a simple and pragmatic approach used in other HTML microformats. Although HTML form elements have other attributes such as name and type which may often give sufficient semantic information, standardised class values are used to remove any ambiguity. We use the pmf prefix as a poor man’s namespace to avoid clashes with programmer-defined class names. For example under the PMF proposal, a login form is marked with the pmf-login class:
<form action="/login" method="POST" class="pmf-login">
PMF semantics allow the username and password input elements of a HTML form to be unambiguously identified. Furthermore for password inputs, PMF allows software to differentiate between inputs intended for new or existing passwords. Password resets and changes are particularly tricky for a password manager because the software cannot tell—in the case where a user may have multiple accounts with the same website—which password is being changed. PMF solves this issue by requiring a hidden-type field in these forms marked with the pmf-username semantic class and with its value set to the username of the relevant account:
<form action="/reset" method="POST" class="pmf-reset-password">
<input type="hidden" class="pmf-username" value="jimbojones"/>
Large-scale password leaks have shown that many users optimise for memorability and convenience rather than security, choosing trivially-guessable passwords like 123456, qwerty or password. Password composition policies (“between 8 and 16 characters, of which at least one uppercase, one digit and one symbol”) are an attempt to enforce selection of passwords that will be harder to guess. Although we may not always agree with password policies that websites impose, PMF allows websites to specify a machine-readable (JSON) description of their password composition policy to aid password managers in generating strong compliant passwords.
All password managers rely on fallible heuristics. Such code is complex, never fully accurate and it requires constant updates, besides wasteful replication of efforts by every password manager developer. We argue that all parties would benefit if websites offered a standard interface to password managers, enabling consistent and accurate agent-supported password creation, registration and login, without brittle programmatic guesswork. Our PMF proposal, of augmenting a website’s password pages with simple and unambiguous machine-readable semantics, makes the operation of password managers much simpler and more reliable. Users benefit from reduced cognitive load and reduced typing burden. Reliable generation of strong random passwords increases security for both users and websites. A well-defined interface eliminates guesswork and makes the password manager code leaner and much easier to maintain.
We are not the first to have identified these problems , but we do have a solution with potential: our PMF proposal is straightforward and pragmatic. We’d really love to see our PMF proposal turned from a relatively modest idea in a conference publication into something that makes life that little bit easier for millions of people. So, if you’re kept awake by the horrors of maintaining a password manager, or if you’d just like to make password managers work a little bit better, we’d love to hear from you.
 Stajano, F., Jenkinson, G., Payne, J., Spencer, M., Stafford-Fraser, Q., Warrington, C.: Bootstrapping adoption of the pico password replacement system. In Christianson, B., Malcolm, J.A., Matyás, V., Svenda, P., Stajano, F., Anderson, J., eds.: Security Protocols XXII – 22nd International Workshop Cambridge, UK, March 19-21, 2014 Revised Selected Papers. Volume 8809 of Lecture Notes in Computer Science., Springer (2014) 172–186
 Frank Stajano, Max Spencer, Graeme Jenkinson. Password-manager friendly (PMF): Semantic annotations to improve the effectiveness of password managers. Final version to appear in Proceedings of Passwords 2014, Springer LNCS.
 J Doskle. On Firefox’s Password Manager. https://blog.mozilla.org/dolske/2013/08/20/on-firefoxs-password-manager/ Accessed 2014-11-24.