Towards reliable storage of 56-bit secrets in human memory

Proceedings of the 23rd USENIX Security Symposium

Volumn , Issue , 2014, Pages 607-623

  Bonneau, Joseph ^a   Schechter, Stuart ^b  

^a PRINCETON UNIVERSITY   (United States)

^b MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION;

HUMAN MEMORY; SHORT CODES;

CODES (SYMBOLS);

EID: 85060180093     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (95)

1. HashCat project. http://hashcat.net/hashcat/.
2. "Automated Password Generator (APG)". NIST Federal Information Processing Standards Publication (1993).
3. Bitcoin currency statistics. blockchain.info/stats, 2014.
4. ADAMS, A., and SASSE., M. A., and LUNT, P. Making passwords secure and usable. In People and Computers XII. Springer London, 1997, pp. 1-19.
5. ALLBERY, B. pwgen - random but pronounceable password generator. USENET posting in comp.sources.misc (1988).
6. ARNOLD, R. G. The Diceware Passphrase Home Page. world.std.com/~reinhold/diceware.html, 2014.
7. ATALLAH, M. J., and MCDONOUGH., C. J., RASKIN, V., and NIRENBURG, S. Natural language processing for information assurance and security: an overview and implementations. In Proceedings of the 2000 New Security Paradigms Workshop (2001), ACM, pp. 51-65.
8. ATKINSON, R. C., and SHIFFRIN, R. M. Human memory: A proposed system and its control processes. The Psychology of Learning and Motivation 2 (1968), 89-195.
9. BADDELEY, A. Working memory. Science 255, 5044 (1992), 556-559.
10. BADDELEY, A. D. Human memory: Theory and practice. Psychology Press, 1997.
11. BALOTA, D. A., and DUCHEK., J. M., and LOGAN, J. M. Is expanded retrieval practice a superior form of spaced retrieval? A critical review of the extant literature. The foundations of remembering: Essays in honor of Henry L. Roediger, III (2007), 83-105.
12. BICAKCI, K., and VAN OORSCHOT, P. C. A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation. In Proceedings of the 2011 New Security Paradigms Workshop (2011), ACM, pp. 25-36.
13. BIDDLE, R., CHIASSON, S., and VAN OORSCHOT, P. C. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR) 44, 4 (2012), 19.
14. BLISS, T. V., AND LØMO, T. Long-lasting potentiation of synap-tic transmission in the dentate area of the anaesthetized rabbit following stimulation of the perforant path. The Journal of Physiology 232, 2 (1973), 331-356.
15. BLOCKI, J. Usable Human Authentication: A Quantitative Treatment. PhD thesis, Carnegie Mellon University, June 2014.
16. BLOCKI, J., BLUM, M., and DATTA, A. Naturally rehearsing passwords. In Advances in Cryptology-ASIACRYPT 2013. Springer, 2013, pp. 361-380.
17. BOJINOV, H., SANCHEZ, D., REBER, P., BONEH, D., and LINCOLN, P. Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In Proceedings of the 21st USENIX Security Symposium (2012).
18. BONNEAU, J. Guessing human-chosen secrets. PhD thesis, University of Cambridge, May 2012.
19. BONNEAU, J. Moore's Law won't kill passwords. Light Blue Touchpaper, January 2013.
20. BONNEAU, J., HERLEY, C., VAN OORSCHOT, P. C., AND STA-JANO, F. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In 2012 IEEE Symposium on Security and Privacy (May 2012).
21. th International Conference on Financial Cryptography (January 2010).
22. th International Conference on Financial Cryptography (March 2012).
23. BONNEAU, J., and SCHECHTER, S. Towards reliable storage of 56-bit secrets in human memory (extended version). Tech. rep., Microsoft Research.
24. BONNEAU, J., and SHUTOVA, E. Linguistic properties of multiword passphrases. In USEC '12: Workshop on Usable Security (March 2012).
25. BOYEN, X. Halting password puzzles. In USENIX Security Symposium (2007).
26. BRAND, S. Department of Defense Password Management Guideline.
27. BRANTZ, T., and FRANZ, A. The Google Web 1T 5-gram corpus. Tech. Rep. LDC2006T13, Linguistic Data Consortium, 2006.
28. BROSTOFF, A. Improving password system effectiveness. PhD thesis, University College London, 2004.
29. BROWN, D. R. Prompted User Retrieval of Secret Entropy: The Passmaze Protocol. IACR Cryptology ePrint Archive 2005 (2005), 434.
30. BUNNELL, J., PODD, J., HENDERSON, R., NAPIER, R., and KENNEDY-MOFFAT, J. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers & Security 16, 7 (1997), 629-641.
31. BUNTING, M. Proactive interference and item similarity in working memory. Journal of Experimental Psychology: Learning, Memory, and Cognition 32, 2 (2006), 183.
32. BURR, W. E., and DODSON., D. F., and POLK, W. T. Electronic Authentication Guideline. NIST Special Publication 800-63 (2006).
33. CAMERON, K. A., and HAARMANN., H. J., GRAFMAN, J., and RUCHKIN, D. S. Long-term memory is the representational basis for semantic verbal short-term memory. Psychophysiology 42, 6 (2005), 643-653.
34. CAPLE, C. The Effects of Spaced Practice and Spaced Review on Recall and Retention Using Computer Assisted Instruction. PhD thesis, North Carolina State University, 1996.
35. CEPEDA, N. J., PASHLER, H., VUL, E., WIXTED, J. T., and ROHRER, D. Distributed practice in verbal recall tasks: A review and quantitative synthesis. Psychological Bulletin 132, 3 (2006), 354.
36. CHIASSON, S., FORGET, A., BIDDLE, R., and VAN OORSCHOT, P. C. Influencing users towards better passwords: persuasive cued click-points. In Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction-Volume 1 (2008), British Computer Society, pp. 121-130.
37. CHIASSON, S., VAN OORSCHOT, P. C., AND BIDDLE, R. Graphical password authentication using cued click points. In Computer Security-ESORICS 2007. Springer, 2007, pp. 359-374.
38. CLAIR, L. S., JOHANSEN, L., ENCK, W., PIRRETTI, M., TRAYNOR, P., MCDANIEL, P., and JAEGER, T. Password exhaustion: Predicting the end of password usefulness. In Information Systems Security. Springer, 2006, pp. 37-55.
39. DAVIS, D., MONROSE, F., and REITER, M. K. On User Choice in Graphical Password Schemes. In USENIX Security Symposium (2004), Vol. 13, pp. 11-11.
40. DHAMIJA, R., and PERRIG, A. Déjà Vu: A User Study Using Images for Authentication. In Proceedings of the 9th Conference on USENIX Security Symposium - Volume 9 (Berkeley, CA, USA, 2000), SSYM'00, USENIX Association, pp. 4-4.
41. DI CRESCENZO, G., LIPTON, R., and WALFISH, S. Perfectly secure password protocols in the bounded retrieval model. In Theory of Cryptography. Springer, 2006, pp. 225-244.
42. DUGGAN, G. B., JOHNSON, H., and GRAWEMEYER, B. Rational security: Modelling everyday password use. International Journal of Human-Computer Studies 70, 6 (2012), 415-431.
43. EBBINGHAUS, H. Über das gedächtnis: untersuchungen zur experimentellen psychologie. Duncker & Humblot, 1885.
44. FAHL, S., HARBACH, M., ACAR, Y., and SMITH, M. On the ecological validity of a password study. In Proceedings of the Ninth Symposium on Usable Privacy and Security (2013), ACM, p. 13.
45. GANESAN, R., DAVIES, C., and ATLANTIC, B. A new attack on random pronounceable password generators. In Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference (1994).
46. GASSER, M. A random word generator for pronounceable passwords. Tech. rep., DTIC Document, 1975.
47. GREENE, R. L. Spacing effects in memory: Evidence for a two-process account. Journal of Experimental Psychology: Learning, Memory, and Cognition 15, 3 (1989), 371.
48. JAKOBSSON, M., YANG, L., and WETZEL, S. Quantifying the security of preference-based authentication. In Proceedings of the 4th ACM Workshop on Digital Identity Management (2008), ACM, pp. 61-70.
49. JERMYN, I., MAYER, A., MONROSE, F., REITER, M. K., and RUBIN., A. D., et al. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium (1999), Vol. 8, Washington DC, pp. 1-1.
50. JEYARAMAN, S., and TOPKARA, U. Have the cake and eat it too - Infusing usability into text-password based authentication systems. In Computer Security Applications Conference, 21st Annual (2005), IEEE.
51. JOSEFSSON, S. The Base16, Base32, and Base64 Data Encodings. RFC 4648 (Proposed Standard), Oct. 2006.
52. JUELS, A., and RIVEST, R. L. Honeywords: Making Passwordcracking Detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (New York, NY, USA, 2013), CCS '13, ACM, pp. 145-160.
53. KARPICKE, J. D., and ROEDIGER III, H. L. Expanding retrieval practice promotes short-term retention, but equally spaced retrieval enhances long-term retention. Journal of Experimental Psychology: Learning, Memory, and Cognition 33, 4 (2007), 704.
54. KAUFMAN, C., PERLMAN, R., and SPECINER, M. Network security: Private communication in a public world. Prentice Hall Press, 2002.
55. KEITH, M., SHAO, B., and STEINBART, P. J. The usability of passphrases for authentication: An empirical field study. International Journal of Human-Computer Studies 65, 1 (2007), 17-28.
56. KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., and CRANOR., L. F., and LOPEZ, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In 2012 IEEE Symposium on Security and Privacy (2012), IEEE, pp. 523-537.
57. KELSEY, J., SCHNEIER, B., HALL, C., and WAGNER, D. Secure applications of low-entropy keys. In Information Security. Springer, 1998, pp. 121-134.
58. KING, M. Rebus passwords. In Proceedings of the Seventh Annual Computer Security Applications Conference, 1991 (Dec 1991), pp. 239-243.
59. KITTUR, A., and CHI., E. H., and SUH, B. Crowdsourcing User Studies with Mechanical Turk. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (New York, NY, USA, 2008), CHI '08, ACM, pp. 453-456.
60. KOMANDURI, S., SHAY, R., KELLEY, P. G., and MAZUREK., M. L., BAUER, L., CHRISTIN, N., CRANOR, L. F., and EGELMAN, S. Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2011), ACM, pp. 2595-2604.
61. KURZBAN, S. A. Easily Remembered Passphrases: A Better Approach. SIGSAC Rev. 3, 2-4 (Sept. 1985), 10-21.
62. LANDAUER, T., and BJORK, R. Optimum rehearsal patterns and name learning. In M. M. Gruneberg, PE Morris, & RN Sykes (Eds.), Practical aspects of memory (pp. 625-632), 1978.
63. LASTPASS. LastPass Security Notification. http://blog.lastpass.com/2011/05/lastpass-security-notification.html.
64. LEONHARD, M. D., and VENKATAKRISHNAN, V. A comparative study of three random password generators. In IEEE EIT (2007).
65. MEUNIER, P. C. Sing-a-Password: Quality Random Password Generation with Mnemonics. 1998.
66. MORRIS, R., and THOMPSON, K. Password Security: A Case History. Communications of the ACM 22, 11 (1979), 594-597.
67. MUNROE, R. Password Strength. https://www.xkcd.com/936/, 2012.
68. PAVLIK, P. I., and ANDERSON, J. R. Using a model to compute the optimal schedule of practice. Journal of Experimental Psychology: Applied 14, 2 (2008), 101.
69. PERCIVAL, C. Stronger key derivation via sequential memory-hard functions. 2009.
70. PIMSLEUR, P. A memory schedule. Modern Language Journal (1967), 73-75.
71. PROCTOR, R. W., LIEN, M.-C., VU, K.-P. L., SCHULTZ, E. E., AND SALVENDY, G. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 34, 2 (2002), 163-169.
72. PROVOS, N., and MAZIERES, D. A Future-Adaptable Password Scheme. In USENIX Annual Technical Conference, FREENIX Track (1999), pp. 81-91.
73. RABKIN, A. Personal knowledge questions for fallback authentication: Security questions in the era of Facebook. In Proceedings of the 4th Symposium on Usable Privacy and Security (2008), ACM, pp. 13-23.
74. ROSS, J., IRANI, L., SILBERMAN, M. S., ZALDIVAR, A., and TOMLINSON, B. Who are the Crowdworkers?: Shifting Demographics in Mechanical Turk. In CHI '10 Extended Abstracts on Human Factors in Computing Systems (New York, NY, USA, 2010), CHI EA '10, ACM, pp. 2863-2872.
75. SANCHEZ, D. J., and GOBEL., E. W., and REBER, P. J. Performing the unexplainable: Implicit task performance reveals individually reliable sequence learning without explicit knowledge. Psychonomic Bulletin & Review 17, 6 (2010), 790-796.
76. SCHECHTER, S., and BRUSH., A. B., and EGELMAN, S. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. In Security and Privacy, 2009 30th IEEE Symposium on (2009), IEEE, pp. 375-390.
77. SHAY, R., and KELLEY., P. G., KOMANDURI, S., MAZUREK, M. L., UR, B., VIDAS, T., BAUER, L., CHRISTIN, N., and CRANOR, L. F. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proceedings of the Eighth Symposium on Usable Privacy and Security (2012), ACM, p. 7.
78. STOBERT, E. A. Memorability of Assigned Random Graphical Passwords. Master's thesis, Carleton University, 2011.
79. STROOP, J. R. Studies of Interference in Serial Verbal Reactions. Journal of Experimental Psychology 18, 6 (Dec. 1935), 643-662.
80. STUBBLEFIELD, A., and SIMON, D. Inkblot authentication. Microsoft Research (2004).
81. TAO, H., and ADAMS, C. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. IJ Network Security 7, 2 (2008), 273-292.
82. THE ETHICAL RESEARCH PROJECT. Post-experiment survey for deception studies. https://www.ethicalresearch.org/.
83. VAN OORSCHOT, P. C., and THORPE, J. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security (TISSEC) 10, 4 (2008), 5.
84. VAN OORSCHOT, P. C., and THORPE, J. Exploiting predictability in click-based graphical passwords. Journal of Computer Security 19, 4 (2011), 669-702.
85. VERAS, R., COLLINS, C., and THORPE, J. On the semantic patterns of passwords and their security impact. In Network and Distributed System Security Symposium (NDSS'14) (2014).
86. VU, K.-P. L., PROCTOR, R. W., BHARGAV-SPANTZEL, A., TAI, B.-L. B., COOK, J., AND EUGENE SCHULTZ, E. Improving password security and memorability to protect personal and organizational information. International Journal of HumanComputer Studies 65, 8 (2007), 744-757.
87. WEINSHALL, D., and KIRKPATRICK, S. Passwords You'll Never Forget, but Can't Recall. In CHI '04 Extended Abstracts on Human Factors in Computing Systems (New York, NY, USA, 2004), CHI EA '04, ACM, pp. 1399-1402.
88. WIEDENBECK, S., WATERS, J., BIRGET, J.-C., BRODSKIY, A., and MEMON, N. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies 63, 1 (2005), 102-127.
89. WIXTED, J. T. The psychology and neuroscience of forgetting. Annual Psychology Review 55 (2004), 235-269.
90. WOOD, H. M. The use of passwords for controlled access to computer resources, Vol. 500. US Department of Commerce, National Bureau of Standards, 1977.
91. WOZNIAK, P. SuperMemo 2004. TESL EJ 10, 4 (2007).
92. YAN, J. J., and BLACKWELL., A. F., ANDERSON, R. J., and GRANT, A. Password Memorability and Security: Empirical Results. IEEE Security & privacy 2, 5 (2004), 25-31.
93. ZVIRAN, M., and HAGA, W. User authentication by cognitive passwords: an empirical assessment. In Proceedings of the 5th Jerusalem Conference on Information Technology (Oct 1990), pp. 137-144.
94. ZVIRAN, M., and HAGA, W. J. Passwords Security: An Exploratory Study. Tech. rep., Naval Postgraduate School, 1990.
95. ZVIRAN, M., and HAGA, W. J. Password security: an empirical study. Journal of Management Information Systems 15 (1999), 161-186.