Team for Research in
Ubiquitous Secure Technology

Naturally Rehearsing Passwords
Jeremiah Blocki

Citation
Jeremiah Blocki. "Naturally Rehearsing Passwords". Talk or presentation, 9, October, 2013.

Abstract
We introduce quantitative usability and security models to guide the design of password management schemes — systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and can be tested empirically. Given rehearsal requirements and a user’s visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues—a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals.

Electronic downloads

Citation formats  
  • HTML 
    Jeremiah Blocki. <a
href="http://www.truststc.org/pubs/915.html"
><i>Naturally Rehearsing
Passwords</i></a>, Talk or presentation,  9,
October, 2013.
  • Plain text 
    Jeremiah Blocki. "Naturally Rehearsing Passwords".
Talk or presentation,  9, October, 2013.
  • BibTeX 
    @presentation{Blocki13_NaturallyRehearsingPasswords,
    author = {Jeremiah Blocki},
    title = {Naturally Rehearsing Passwords},
    day = {9},
    month = {October},
    year = {2013},
    abstract = {We introduce quantitative usability and security
              models to guide the design of password management
              schemes — systematic strategies to help users
              create and remember multiple passwords. In the
              same way that security proofs in cryptography are
              based on complexity-theoretic assumptions (e.g.,
              hardness of factoring and discrete logarithm), we
              quantify usability by introducing usability
              assumptions. In particular, password management
              relies on assumptions about human memory, e.g.,
              that a user who follows a particular rehearsal
              schedule will successfully maintain the
              corresponding memory. These assumptions are
              informed by research in cognitive science and can
              be tested empirically. Given rehearsal
              requirements and a user’s visitation schedule
              for each account, we use the total number of extra
              rehearsals that the user would have to do to
              remember all of his passwords as a measure of the
              usability of the password scheme. Our usability
              model leads us to a key observation: password
              reuse benefits users not only by reducing the
              number of passwords that the user has to memorize,
              but more importantly by increasing the natural
              rehearsal rate for each password. We also present
              a security model which accounts for the complexity
              of password management with multiple accounts and
              associated threats, including online, offline, and
              plaintext password leak attacks. Observing that
              current password management schemes are either
              insecure or unusable, we present Shared Cues—a
              new scheme in which the underlying secret is
              strategically shared across accounts to ensure
              that most rehearsal requirements are satisfied
              naturally while simultaneously providing strong
              security. The construction uses the Chinese
              Remainder Theorem to achieve these competing goals.},
    URL = {http://www.truststc.org/pubs/915.html}
}

Posted by Carolyn Winter on 13 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.