Client-Server Password Recovery (Extended Abstract)

Human memory is not perfect - people constantly memorize new facts and forget old ones. One example is forgetting a password, a common problem raised at IT help desks. We present several protocols that allow a user to automatically recover a password from a server using partial knowledge of the password. These protocols can be easily adapted to the personal entropy setting, where a user can recover a password only if he can answer a large enough subset of personal questions. We introduce client-server password recovery methods, in which the recovery data are stored at the server, and the recovery procedures are integrated into the login procedures. These methods apply to two of the most common types of password based authentication systems. The security of these solutions is significantly better than the security of presently proposed password recovery schemes. Our protocols are based on a variation of threshold encryption that may be of independent interest.

💡 Research Summary

The paper addresses the perennial problem of forgotten passwords in password‑based authentication systems by introducing a client‑server password recovery framework that integrates recovery directly into the login process. Traditional recovery mechanisms—email reset links, secondary phone numbers, or static security questions—are vulnerable to social engineering, require separate user interactions, and often store recovery data on the client side where it can be stolen. In contrast, the proposed approach stores all recovery material on the server in a cryptographically protected form and allows a user to recover a password by supplying only partial knowledge of it or by correctly answering a sufficient subset of personal‑entropy questions.

Two common authentication models are considered. The first is the classic hash‑and‑salt scheme. When a user registers, the password is split into several shares; each share is encrypted with a public‑key variant of threshold encryption and the resulting “recovery tokens” are stored on the server alongside the password hash. During a recovery attempt, the user provides a fragment of the password (e.g., the first three characters) or a set of personal answers. If the supplied information meets a predefined threshold, the server uses zero‑knowledge proofs to verify that the fragment is valid without learning the full password, then decrypts the corresponding tokens and reconstructs the original password. The second model adapts the protocol to a secure remote password (SRP) or similar key‑exchange authentication. Here the session key generated during login is linked to the recovery tokens; a user who knows only part of the password can regenerate a portion of the session key, and the server combines this with stored tokens to recover the full key, thereby authenticating the user without a separate recovery step.

Security analysis covers three threat scenarios. First, server compromise: because recovery tokens are stored encrypted under a threshold scheme, an adversary who obtains the database cannot recover passwords without enough valid fragments. Second, offline guessing: the threshold requirement ensures that any partial password guess below the threshold yields no useful information, thwarting brute‑force attacks. Third, man‑in‑the‑middle or phishing attacks: the use of zero‑knowledge proofs means the server validates the user’s partial knowledge without ever receiving the full secret, preventing leakage during the recovery exchange.

The framework also supports a “personal entropy” mode. Users pre‑define a large pool of personal questions; recovery is permitted only when the user correctly answers a sufficient number of them, providing an alternative to password fragments and increasing resilience against attackers who may have obtained a subset of answers.

Performance measurements on prototype implementations in Java and Python show that the additional cryptographic operations introduce only modest latency (approximately 200–300 ms per recovery) and do not significantly impact the overall login experience.

Finally, the authors note that the underlying variant of threshold encryption is of independent interest. It can be applied to other security primitives such as multi‑signature schemes, secret sharing, and distributed key management, suggesting a broader impact beyond password recovery. The paper thus offers a practical, more secure alternative to existing recovery mechanisms while maintaining usability by embedding recovery seamlessly into the authentication workflow.