User-supplied textual passwords are extensively used today for user authentication. However, these passwords have serious deficiencies in a way they interact with human natural ability to form memories. Strong passwords that are hard to crack are also hard for humans to remember, while memorable passwords are easily brute-forced or guessed. Recently, a number of alternatives to textual passwords have been proposed, such as drawing a password, selecting images from a list, learning a tune, etc. All these approaches have a common deficiency that they ask users to form new memories, which leads either to easily-remembered, easily-guessed or secure but easily-forgotten passwords. We propose novel Life-Experience Passwords (LEPs). Unlike existing approaches, our passwords are built from a user's episodic memory about defining life events, and should be both more memorable and harder to guess than traditional passwords.
The main problem with all current password approaches, both textual and non-textual, is that they force a user to create new but complex memories that can be accurately retrieved after long stretches of time. This task is highly unnatural to humans. As summarized in [4], "Human memory is fundamentally associative, meaning that a new piece of information is remembered better if it can be associated with previously acquired knowledge that is already firmly anchored in memory. The more personally meaningful the association, the more effective the encoding and consolidation ... On the other hand, information that a person finds difficult to understand cannot be readily associated with already acquired knowledge and so will usually be poorly remembered, and may even be remembered in a distorted form". This quote relates directly to memorability and security of textual passwords. Those passwords that are meaningful to the user are derived from dictionary words, personal names or locations and are easily guessed through dictionary attacks or by knowing the user personally. On the other hand, the strength of strong passwords comes exactly from their appearance as random sets of characters, which also impairs human ability to memorize and accurately retrieve them later. Additionally, while a human could easily generate any number of diverse passwords that rely on their personal knowledge and interest, it is hard to remember which password is associated with which purpose. This leads to password reuse and severely undermines security of password-based authentication.
We propose a novel approach to user-supplied textual passwords, life-experience passwords (LEPs). LEPs are built from a user's episodic memory about their personal experiences, e.g. weddings, births, graduations, vacations, etc. To ensure memorability we would use only those experiences that occurred a number of years ago, and have thus already been memorable enough to remain in user's mind. LEPs would consist of several factoids related to a user-chosen personal experience. The verification process would prompt the user with questions about these factoids and the user answers would represent the password. We expect that providing a higher level of details memorable to the user would ensure the originality and strength of LEPs. Given a user's life event such as wedding, some of the factoids about it may be mined from social media - e.g., the location - but others should be known only by the user - e.g., why she chose the specific wedding dress, which song played for the first dance, which guest said or did what at the event, etc. Our work is similar to security questions for secondary authentication in intent, but different in details and resulting security against attacks. Security questions contain a limited set of questions, while LEPs could potentially have unlimited set of factoids. Security questions have a single factoid that may be easily researched from public sources, while LEPs have several factoids, some of which should uniquely be known only by the user.
We believe that LEPs provide the following benefits:
Our ultimate goal is to develop an alternative authentication system that is more secure and more usable while it is more memorable than the existing approaches. Therefore, we take interdisciplinary approach to tackling these challenging usable security issues. Currently, we are collaborating researchers from different disciplines including Linguistics, Natural Language Processing (NLP), Information Retrieval (IR), and Security & Privacy.