Naturally rehearsing passwords

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8270 LNCS, Issue PART 2, 2013, Pages 361-380

  Blocki, Jeremiah ^a   Blum, Manuel ^a   Datta, Anupam ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Chinese Remainder Theorem; Password Management Scheme; Security Model; Sufficient Rehearsal Assumption; Usability Model; Visitation Schedule

Indexed keywords

CHINESE REMAINDER THEOREM; PASSWORD MANAGEMENT; SECURITY MODEL; SUFFICIENT REHEARSAL ASSUMPTION; USABILITY MODELING;

CRYPTOGRAPHY; SECURITY OF DATA; USABILITY ENGINEERING;

AUTHENTICATION;

EID: 84892375701     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-42045-0_19     Document Type: Conference Paper

References (61)

1. Amazon ec2 pricing, http://aws.amazon.com/ec2/pricing/ (retrieved October 22, 2012)
2. Cert incident note in-98.03: Password cracking activity (July 1998), http://www.cert.org/incident-notes/IN-98.03.html (retrieved August 16, 2011)
3. Geek to live: Choose (and remember) great passwords (July 2006), http://lifehacker.com/184773/geek-to-live-choose-and-remember-great-passwords (retrieved September 27, 2012)
4. Rockyou hack: From bad to worse (December 2009), http://techcrunch.com/ 2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ (retrieved September 27, 2012)
5. Oh man, what a day! an update on our security breach (April 2010), http://blogs.atlassian.com/news/2010/04/oh-man-what-a-day-an-update-on-our- security-breach.html (retrieved August 18, 2011)
6. Sarah palin vs the hacker (May 2010), http://www.telegraph.co.uk/news/ worldnews/sarah-palin/7750050/Sarah-Palin-vs-the-hacker.html (retrieved September 9, 2012)
7. Nato site hacked (June 2011), http://www.theregister.co.uk/2011/06/24/ nato-hack-attack/ (retrieved August 16, 2011)
8. Update on playstation network/qriocity services (April 2011), http://blog.us.playstation.com/2011/04/22/update-on-playstation-network- qriocity-services/ (retrieved May 22, 2012)
9. Apple security blunder exposes lion login passwords in clear text (May 2012), http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion- login-passwords-in-clear-text/11963 (retrieved May 22, 2012)
10. Data breach at ieee.org: 100k plaintext passwords (September 2012), http://ieeelog.com/ (retrieved September 27, 2012)
11. An update on linkedin member passwords compromised (June 2012), http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ (retrieved September 27, 2012)
12. Zappos customer accounts breached (January 2012), http://www.usatoday. com/tech/news/story/2012-01-16/mark-smith-zappos-breach-tips/52593484/1 (retrieved May 22, 2012)
13. Acquisti, A., Gross, R.: Imagined communities: awareness, information sharing, and privacy on the facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36-58. Springer, Heidelberg (2006)
14. Anderson, J., Matessa, M., Lebiere, C.: Act-r: A theory of higher level cognition and its relation to visual attention. Human-Computer Interaction 12(4), 439-462 (1997)
15. Anderson, J.R., Schooler, L.J.: Reflections of the environment in memory. Psychological Science 2(6), 396-408 (1991)
16. Asmuth, C., Bloom, J.: A modular approach to key safeguarding. IEEE Transactions on Information Theory 29(2), 208-210 (1983)
17. Baddeley, A.: Human memory: Theory and practice. Psychology Pr. (1997)
18. Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399-416. Springer, Heidelberg (1996)
19. Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR) 44(4), 19 (2012)
20. Biddle, S.: Anonymous leaks 90,000 military email accounts in latest antisec attack (July 2011), http://gizmodo.com/5820049/anonymous-leaks-90000- military-email-accounts-in-latest-antisec-attack (retrieved August 16, 2011)
21. Blocki, J., Blum, M., Datta, A.: Naturally rehearsing passwords. CoRR abs/1302.5122 (2013)
22. Blocki, J., Komanduri, S., Procaccia, A., Sheffet, O.: Optimizing password composition policies
23. Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 33-33. USENIX Association (2012)
24. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538-552. IEEE (2012)
25. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553-567. IEEE (2012)
26. Boztas, S.: Entropies, guessing, and cryptography. Department of Mathematics, Royal Melbourne Institute of Technology, Tech. Rep 6 (1999)
27. Brand, S. Department of defense password management guideline
28. Brostoff, S., Sasse, M.: Are Passfaces more usable than passwords: A field trial investigation. In: People and Computers XIV-Usability or Else: Proceedings of HCI, pp. 405-424 (2000)
29. Burnett, M.: Perfect passwords: selection, protection, authentication. Syngress Publishing (2005)
30. Center, I.: Consumer password worst practices. Imperva (White Paper) (2010)
31. Danescu-Niculescu-Mizil, C., Cheng, J., Kleinberg, J., Lee, L.: You had me at hello: How phrasing affects memorability. In: Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics: Long Papers, vol. 1, pp. 892-901. Association for Computational Linguistics (2012)
32. Ding, C., Pei, D., Salomaa, A.: Chinese remainder theorem. World Scientific (1996)
33. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657-666. ACM (2007)
34. Foer, J.: Moonwalking with Einstein: The Art and Science of Remembering Everything. Penguin Press (2011)
35. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 44-55. ACM, New York (2006)
36. Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52-66. Springer, Heidelberg (2001)
37. Kohonen, T.: Associative memory: A system-theoretical approach. Springer, Berlin (1977)
38. Komanduri, S., Shay, R., Kelley, P., Mazurek, M., Bauer, L., Christin, N., Cranor, L., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the 2011 Annual Conference on Human Factors in Computing Systems, pp. 2595-2604. ACM (2011)
39. Kruger, H., Steyn, T., Medlin, B., Drevin, L.: An empirical assessment of factors impeding effective password management. Journal of Information Privacy and Security 4(4), 45-59 (2008)
40. Marr, D.: Simple memory: a theory for archicortex. Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences, 23-81 (1971)
41. Massey, J.: Guessing and entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204. IEEE (1994)
42. Monroe, R.: Xkcd: Password strength, http://www.xkcd.com/936/ (retrieved August 16, 2011)
43. Nisan, N., Wigderson, A.: Hardness vs randomness. Journal of Computer and System Sciences 49(2), 149-167 (1994)
44. Pliam, J.O.: On the incomparability of entropy and marginal guesswork in bruteforce attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67-79. Springer, Heidelberg (2000)
45. Provos, N., Mazieres, D.: Bcrypt algorithm
46. Radke, K., Boyd, C., Nieto, J.G., Brereton, M.: Towards a secure human-andcomputer mutual authentication protocol. In: Proceedings of the Tenth Australasian Information Security Conference (AISC 2012), vol. 125, pp. 39-46. Australian Computer Society Inc. (2012)
47. Rasch, G.: The poisson process as a model for a diversity of behavioral phenomena. In: International Congress of Psychology (1963)
48. Scarfone, K., Souppaya, M.: Guide to enterprise password management (draft). National Institute of Standards and Technology 800-188 6, 38 (2009)
49. Schechter, S., Brush, A., Egelman, S.: It's no secret. measuring the security and reliability of authentication via 'secret' questions. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 375-390. IEEE (2009)
50. Shay, R., Kelley, P., Komanduri, S., Mazurek, M., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.: Correct horse battery staple: Exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 7. ACM (2012)
51. Singer, A.: No plaintext passwords. The Magazine of Usenix & Sage 26(7) (November 2001) (retrieved August 16, 2011)
52. Spence, J.: The memory palace of Matteo Ricci. Penguin Books (1985)
53. Squire, L.: On the course of forgetting in very long-term memory. Journal of Experimental Psychology: Learning, Memory, and Cognition 15(2), 241 (1989)
54. Standingt, L.: Learning 10,000 pictures. Quarterly Journal of Experimental Psychology 5(20), 7-22 (1973)
55. Stein, J.: Pimp my password. Time, 62 (August 29, 2011)
56. Valiant, L.: Memorization and association on a realistic neural model. Neural Computation 17(3), 527-555 (2005)
57. van Rijn, H., van Maanen, L., van Woudenberg, M.: Passing the test: Improving learning gains by balancing spacing and testing effects. In: Proceedings of the 9th International Conference of Cognitive Modeling (2009)
58. Von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 646-646. Springer, Heidelberg (2003)
59. Willshaw, D., Buckingham, J.: An assessment of marr's theory of the hippocampus as a temporary memory store. Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences 329(1253), 205 (1990)
60. Wozniak, P., Gorzelanczyk, E.J.: Optimization of repetition spacing in the practice of learning. Acta Neurobiologiae Experimentalis 54, 59-59 (1994)
61. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security & Privacy 2(5), 25-31 (2004)