Learning system-assigned passwords (up to 56 bits) in a single registration session with the methods of cognitive psychology
Download: Paper (PDF)
Date: 26 Feb 2017
Document Type: Reports
Additional Documents: Slides
Associated Event: NDSS Symposium 2017
System-assigned random passwords offer security guarantees against guessing attacks but suffer from poor memorability. In this work, we review the cognitive psychology literature and identify two training methods appropriate to aid users in memorizing system-assigned passwords. The method of loci exploits users spatial and visual memory, while the link method helps users by creating a chain of memory cues. We developed techniques to automatically take a given random password and generate training aids (videos) based on each of these methods. The results of a memorability study showed that both methods were significantly better than a control condition (no training) and that the method of loci had a login success rate of 86%, a high value for any recall-based study with system-assigned passwords. With a registration time of 160 seconds and a median login time of 9 seconds, this method holds promise as a direction to addressing the usability-security trade-off in user authentication. We further extend this idea to help users memorize long system-assigned random passwords that offer almost crypto-level security and conduct a second memorability study. The results of this study demonstrated that with the help of a password hint, 81% of participants were able to recall the password after a week. This indicates that the method of loci can be leveraged to help users memorize cryptographically-strong secret in just one session, and thus offers a more viable alternative to the spaced repetition technique, which involves dozens of sessions of user training.