Abstract
We introduce quantitative usability and security models to guide the design of password management schemes — systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and can be tested empirically. Given rehearsal requirements and a user’s visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues — a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals.
This work was partially supported by the NSF Science and Technology TRUST and the AFOSR MURI on Science of Cybersecurity. The first author was also partially supported by an NSF Graduate Fellowship.
Chapter PDF
Similar content being viewed by others
Keywords
References
Amazon ec2 pricing, http://aws.amazon.com/ec2/pricing/ (retrieved October 22, 2012)
Cert incident note in-98.03: Password cracking activity (July 1998), http://www.cert.org/incident_notes/IN-98.03.html (retrieved August 16, 2011)
Geek to live: Choose (and remember) great passwords (July 2006), http://lifehacker.com/184773/geek-to-live--choose-and-remember-great-passwords (retrieved September 27, 2012)
Rockyou hack: From bad to worse (December 2009), http://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/ (retrieved September 27, 2012)
Oh man, what a day! an update on our security breach (April 2010), http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html (retrieved August 18, 2011)
Sarah palin vs the hacker (May 2010), http://www.telegraph.co.uk/news/worldnews/sarah-palin/7750050/Sarah-Palin-vs-the-hacker.html (retrieved September 9, 2012)
Nato site hacked (June 2011), http://www.theregister.co.uk/2011/06/24/nato_hack_attack/ (retrieved August 16, 2011)
Update on playstation network/qriocity services (April 2011), http://blog.us.playstation.com/2011/04/22/update-on-playstation-network-qriocity-services/ (retrieved May 22, 2012)
Apple security blunder exposes lion login passwords in clear text (May 2012), http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963 (retrieved May 22, 2012)
Data breach at ieee.org: 100k plaintext passwords (September 2012), http://ieeelog.com/ (retrieved September 27, 2012)
An update on linkedin member passwords compromised (June 2012), http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/ (retrieved September 27, 2012)
Zappos customer accounts breached (January 2012), http://www.usatoday.com/tech/news/story/2012-01-16/mark-smith-zappos-breach-tips/52593484/1 (retrieved May 22, 2012)
Acquisti, A., Gross, R.: Imagined communities: awareness, information sharing, and privacy on the facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36–58. Springer, Heidelberg (2006)
Anderson, J., Matessa, M., Lebiere, C.: Act-r: A theory of higher level cognition and its relation to visual attention. Human-Computer Interaction 12(4), 439–462 (1997)
Anderson, J.R., Schooler, L.J.: Reflections of the environment in memory. Psychological Science 2(6), 396–408 (1991)
Asmuth, C., Bloom, J.: A modular approach to key safeguarding. IEEE Transactions on Information Theory 29(2), 208–210 (1983)
Baddeley, A.: Human memory: Theory and practice. Psychology Pr. (1997)
Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)
Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR) 44(4), 19 (2012)
Biddle, S.: Anonymous leaks 90,000 military email accounts in latest antisec attack (July 2011), http://gizmodo.com/5820049/anonymous-leaks-90000-military-email-accounts-in-latest-antisec-attack (retrieved August 16, 2011)
Blocki, J., Blum, M., Datta, A.: Naturally rehearsing passwords. CoRR abs/1302.5122 (2013)
Blocki, J., Komanduri, S., Procaccia, A., Sheffet, O.: Optimizing password composition policies
Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 33–33. USENIX Association (2012)
Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552. IEEE (2012)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)
Boztas, S.: Entropies, guessing, and cryptography. Department of Mathematics, Royal Melbourne Institute of Technology. Tech. Rep. 6 (1999)
Brand, S. Department of defense password management guideline
Brostoff, S., Sasse, M.: Are Passfaces more usable than passwords: A field trial investigation. In: People and Computers XIV-Usability or Else: Proceedings of HCI, pp. 405–424 (2000)
Burnett, M.: Perfect passwords: selection, protection, authentication. Syngress Publishing (2005)
Center, I.: Consumer password worst practices. Imperva (White Paper) (2010)
Danescu-Niculescu-Mizil, C., Cheng, J., Kleinberg, J., Lee, L.: You had me at hello: How phrasing affects memorability. In: Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics: Long Papers, vol. 1, pp. 892–901. Association for Computational Linguistics (2012)
Ding, C., Pei, D., Salomaa, A.: Chinese remainder theorem. World Scientific (1996)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)
Foer, J.: Moonwalking with Einstein: The Art and Science of Remembering Everything. Penguin Press (2011)
Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 44–55. ACM, New York (2006)
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)
Kohonen, T.: Associative memory: A system-theoretical approach. Springer, Berlin (1977)
Komanduri, S., Shay, R., Kelley, P., Mazurek, M., Bauer, L., Christin, N., Cranor, L., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the 2011 Annual Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)
Kruger, H., Steyn, T., Medlin, B., Drevin, L.: An empirical assessment of factors impeding effective password management. Journal of Information Privacy and Security 4(4), 45–59 (2008)
Marr, D.: Simple memory: a theory for archicortex. Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences, 23–81 (1971)
Massey, J.: Guessing and entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204. IEEE (1994)
Monroe, R.: Xkcd: Password strength, http://www.xkcd.com/936/ (retrieved August 16, 2011)
Nisan, N., Wigderson, A.: Hardness vs randomness. Journal of Computer and System Sciences 49(2), 149–167 (1994)
Pliam, J.O.: On the incomparability of entropy and marginal guesswork in brute-force attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)
Provos, N., Mazieres, D.: Bcrypt algorithm
Radke, K., Boyd, C., Nieto, J.G., Brereton, M.: Towards a secure human-and-computer mutual authentication protocol. In: Proceedings of the Tenth Australasian Information Security Conference (AISC 2012), vol. 125, pp. 39–46. Australian Computer Society Inc. (2012)
Rasch, G.: The poisson process as a model for a diversity of behavioral phenomena. In: International Congress of Psychology (1963)
Scarfone, K., Souppaya, M.: Guide to enterprise password management (draft). National Institute of Standards and Technology 800-188 6, 38 (2009)
Schechter, S., Brush, A., Egelman, S.: It’s no secret. measuring the security and reliability of authentication via ‘secret’ questions. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 375–390. IEEE (2009)
Shay, R., Kelley, P., Komanduri, S., Mazurek, M., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.: Correct horse battery staple: Exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 7. ACM (2012)
Singer, A.: No plaintext passwords. The Magazine of Usenix & Sage 26(7) (November 2001) (retrieved August 16, 2011)
Spence, J.: The memory palace of Matteo Ricci. Penguin Books (1985)
Squire, L.: On the course of forgetting in very long-term memory. Journal of Experimental Psychology: Learning, Memory, and Cognition 15(2), 241 (1989)
Standingt, L.: Learning 10,000 pictures. Quarterly Journal of Experimental Psychology 5(20), 7–22 (1973)
Stein, J.: Pimp my password. Time, 62 (August 29, 2011)
Valiant, L.: Memorization and association on a realistic neural model. Neural Computation 17(3), 527–555 (2005)
van Rijn, H., van Maanen, L., van Woudenberg, M.: Passing the test: Improving learning gains by balancing spacing and testing effects. In: Proceedings of the 9th International Conference of Cognitive Modeling (2009)
Von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 646–646. Springer, Heidelberg (2003)
Willshaw, D., Buckingham, J.: An assessment of marr’s theory of the hippocampus as a temporary memory store. Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences 329(1253), 205 (1990)
Wozniak, P., Gorzelanczyk, E.J.: Optimization of repetition spacing in the practice of learning. Acta Neurobiologiae Experimentalis 54, 59–59 (1994)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security & Privacy 2(5), 25–31 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Blocki, J., Blum, M., Datta, A. (2013). Naturally Rehearsing Passwords. In: Sako, K., Sarkar, P. (eds) Advances in Cryptology - ASIACRYPT 2013. ASIACRYPT 2013. Lecture Notes in Computer Science, vol 8270. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-42045-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-42045-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-42044-3
Online ISBN: 978-3-642-42045-0
eBook Packages: Computer ScienceComputer Science (R0)