Textual passwords are widely used for user authentication. An ideal password should be easy for a user to remember, but difficult for others to guess. Users value these two requirements very differently -- high recall is very important as it allows the user to access the desired service. Security is important, but less, as it only guards against an unwanted, but from user perception rare, unauthorized access. These different valuations lead to two prevalent approaches to password creation. In one, users relate their passwords to some personally salient facts, such as names and birth dates, which makes them easy to remember but also easy to guess. In other, users create several moderately strong passwords, but then reuse them to achieve high recall. This lowers security, because passwords stolen from one server can be used to gain access to another one.
Our research seeks to understand this tension between memorability and security of passwords. We also design new textual authentication methods to help users create passwords, which are both memorable and secure.
It is no secret that users have difficulty choosing and remembering strong passwords, especially when asked to choose different passwords across different accounts. While research has shed light on password weaknesses and reuse, less is known about user motivations for following bad password practices. Understanding these motivations can help us design better interventions that work with the habits of users and not against them.
In this project we ran a comprehensive user study in which we both collected and analyzed users’ real passwords and the reasoning behind their password habits. This enabled us to contrast the users’ actual behaviors with their intentions. We found that user intent often mismatches practice, and that this, coupled with some misconceptions and convenience, fostered bad password habits. Our work is the first to show the discrepancy between user intent and practice when creating passwords, and to investigate how users trade off security for memorability.
Life-experience passwords (LEPs) consist of authentication secrets, created out of a user's existing memories about a chosen life experience, such as a trip, a graduation, a wedding, a place, etc. This lowers a user's cognitive burden, and mimics what users already do - build passwords out of existing memories. To achieve high recall, we transform existing user memories into series of questions and answers. The questions are used at authentication time as hints for the user, and the answers become the password. We further apply imprecise matching at authentication. Authentication succeeds when a user recalls enough answers with enough precision.
LEPs have 2--3 times higher recall than regular passwords - 73% are recalled after a week and 54% are recalled after 3--6 months. LEPs are many orders of magnitude stronger than an ideal, random, 8-character password, making them hard to guess via offline attacks. Friends and family also have a hard time guessing LEPs. In our studies only 0.7% of LEPs were guessed by acquaintances and 9.5% by very close friends or family members. We further achieve high diversity of LEPs by having different servers prompt users for different memories at password creation time. In our studies, LEPs were reused half as often as passwords.
Passphrases are regarded as more secure than passwords because they are longer than passwords. Yet, users use predictable word patterns and common phrases to make passphrases memorable, which in turn significantly lowers security. In this project we explored a novel use of mnemonics, multi-letter passphrase abbreviations, to make passphrases more memorable and more secure. We used mnemonics during authentication as user hints to achieve cued-recall. We also explored use of mnemonics to guide passphrase creation – we generate a random mnemonic and require a user to produce a passphrase, which matches it. This guides the users away from common phrases and improves security. We evaluated these uses of mnemonics in several IRB-approved user studies with participants from Amazon Mechanical Turk. We found that mnemonics displayed as authentication hints increase recall of passphrases by 30–36% after three days, and by 51–74% after seven days. When used to guide passphrase creation, mnemonics reduced the use of common phrases from 52% to under 5%, while passphrase recall remained high. Users also rated usability of passphrases with mnemonics (for creation or for authentication) higher than usability of classical passphrases.
Password meters and policies are currently the only tools helping users to create stronger passwords. However, such tools often do not provide consistent or useful feedback to users, and their suggestions may decrease memorability of resulting passwords. Passwords that are difficult to remember promote bad practices, such as writing them down or password reuse, thus stronger passwords do not necessarily improve authentication security. In this project, we designed GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength. Our suggestions were based on structural and semantic patterns mined from successfully recalled and strong passwords in several IRB-approved user studies [30]. We compared our approach to password creation with creation under NIST policy, Ur et al.[UrCHI-2017] guidance, and zxcvbn password-meter. We showed that GuidedPass outperforms competing approaches both in password strength and in recall performance.