PALPAS - PAsswordLess PAssword Synchronization

Tools that synchronize passwords over several user devices typically store the encrypted passwords in a central online database. For encryption, a low-entropy, password-based key is used. Such a database may be subject to unauthorized access which can lead to the disclosure of all passwords by an offline brute-force attack. In this paper, we present PALPAS, a secure and user-friendly tool that synchronizes passwords between user devices without storing information about them centrally. The idea of PALPAS is to generate a password from a high entropy secret shared by all devices and a random salt value for each service. Only the salt values are stored on a server but not the secret. The salt enables the user devices to generate the same password but is statistically independent of the password. In order for PALPAS to generate passwords according to different password policies, we also present a mechanism that automatically retrieves and processes the password requirements of services. PALPAS users need to only memorize a single password and the setup of PALPAS on a further device demands only a one-time transfer of few static data.

💡 Research Summary

The paper introduces PALPAS (PAsswordLess PAssword Synchronization), a novel system that eliminates the need to store passwords centrally while still allowing users to synchronize them across multiple devices. Traditional password managers encrypt stored passwords with a key derived from a low‑entropy master password; if the synchronization server is compromised, attackers can launch offline brute‑force attacks to recover all user passwords. PALPAS avoids this fundamental flaw by never storing passwords on the server. Instead, each device shares a high‑entropy secret seed S, generated once and transferred manually to all devices. The seed is locally encrypted with a key K_MPW derived from the user’s master password, which is used only for local protection and never leaves the device.

For each online service, PALPAS generates a random salt value. The salt, together with the shared seed, feeds a cryptographically secure pseudorandom generator (PRG) that produces a deterministic random string. A password generator (PG) then maps this string to a password that satisfies the service’s password policy. Because the PRG and PG are deterministic, the same seed, salt, and policy always yield the same password, enabling seamless synchronization.

Salts are stored on a central Salt Synchronization Service (SSS). To protect user privacy, the identifier used to retrieve a salt is not the raw URL but a hash of the URL combined with a secret key K_E that is also shared among the user’s devices. Consequently, the server learns only that a salt exists for a particular hashed identifier, revealing no information about which services the user actually uses.

Password policies are handled by a separate Password Policy Service (PPS). Users initially input the requirements of a service (length, character sets, mandatory characters). The PPS validates these entries through plausibility checks, entropy thresholds, and a crowd‑sourced verification process that requires multiple users to submit matching policies before publication. A reputation system helps clients decide whether to trust a given policy. Once published, PALPAS automatically downloads and caches the policy, eliminating the need for users to manually look up requirements on each website.

Authentication to the SSS is performed with public‑key cryptography rather than a password, removing the classic phishing vector associated with password‑based logins. Each device generates its own key pair; the server stores the public keys and authenticates devices accordingly.

The security analysis demonstrates that a breach of the SSS yields only salts and hashed identifiers, which are statistically independent of the actual passwords and therefore useless for offline attacks. The seed remains protected by K_MPW, making it infeasible to recover without the master password. Public‑key authentication prevents credential theft during login, and the automatic policy retrieval mechanism improves usability without sacrificing security.

In summary, PALPAS achieves a balanced solution to the “security‑usability‑privacy” triangle: passwords are never stored centrally, service‑specific policies are applied automatically, and authentication relies on strong cryptographic primitives rather than low‑entropy passwords. The paper suggests future work on real‑time policy updates and more automated, secure seed distribution across devices.