Fluid Passwords - Mitigating the effects of password leaks at the user level

TL;DR

This paper presents a Firefox add-on that automatically resets user passwords after breaches, reducing risks from leaked credentials without requiring user effort.

Contribution

It introduces a novel automatic password reset algorithm integrated into a browser extension to mitigate the impact of password leaks.

Findings

Successfully implemented as a Firefox add-on

Automatically resets passwords upon login

Stores new passwords securely in Firefox password manager

Abstract

Password leaks have been frequently reported in recent years, with big companies like Sony, Amazon, LinkedIn, and Walmart falling victim to breaches involving the release of customer information. Even though passwords are usually stored in a salted hash, attackers still guess passwords because of insecure password choices and password reuse. However, the adverse effects of a password breach can be mitigated by changing users' passwords. We introduce a simple yet powerful algorithm to reset user account passwords automatically, while still allowing users to authenticate without any additional effort on their part. We implemented our algorithm as a Firefox add-on that automatically resets a user's password when they log in to their account, and stores the new password in the built-in Firefox password manager.