Horcrux: A Password Manager for Paranoids
Hannah Li, David Evans

TL;DR
Horcrux is a decentralized, privacy-preserving password manager that minimizes trust and attack surfaces by splitting components, secret-sharing credentials, and using cuckoo hashing to protect against offline attacks, while maintaining usability.
Contribution
The paper introduces Horcrux, a novel password manager design that decentralizes trust, isolates sensitive code, and employs cuckoo hashing for enhanced privacy and security.
Findings
Compatible with over 98% of tested login forms
Effectively isolates sensitive components for security
Uses secret sharing to avoid centralized credential storage
Abstract
Vulnerabilities in password managers are unremitting because current designs provide large attack surfaces, both at the client and server. We describe and evaluate Horcrux, a password manager that is designed holistically to minimize and decentralize trust, while retaining the usability of a traditional password manager. The prototype Horcrux client, implemented as a Firefox add-on, is split into two components, with code that has access to the user's master's password and any key material isolated into a small auditable component, separate from the complexity of managing the user interface. Instead of exposing actual credentials to the DOM, a dummy username and password are autofilled by the untrusted component. The trusted component intercepts and modifies POST requests before they are encrypted and sent over the network. To avoid trusting a centralized store, stored credentials are…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Advanced Malware Detection Techniques · Security and Verification in Computing
See pages - of horcrux.pdf
