Team for Research in
Ubiquitous Secure Technology

Naturally Rehearsing Passwords
Jeremiah Blocki

Citation
Jeremiah Blocki. "Naturally Rehearsing Passwords". Talk or presentation, 9, October, 2013.

Abstract
We introduce quantitative usability and security models to guide the design of password management schemes — systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and can be tested empirically. Given rehearsal requirements and a user’s visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues—a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals.

Electronic downloads

Citation formats  
  • HTML
    Jeremiah Blocki. <a
    href="http://www.truststc.org/pubs/915.html"
    ><i>Naturally Rehearsing
    Passwords</i></a>, Talk or presentation,  9,
    October, 2013.
  • Plain text
    Jeremiah Blocki. "Naturally Rehearsing Passwords".
    Talk or presentation,  9, October, 2013.
  • BibTeX
    @presentation{Blocki13_NaturallyRehearsingPasswords,
        author = {Jeremiah Blocki},
        title = {Naturally Rehearsing Passwords},
        day = {9},
        month = {October},
        year = {2013},
        abstract = {We introduce quantitative usability and security
                  models to guide the design of password management
                  schemes — systematic strategies to help users
                  create and remember multiple passwords. In the
                  same way that security proofs in cryptography are
                  based on complexity-theoretic assumptions (e.g.,
                  hardness of factoring and discrete logarithm), we
                  quantify usability by introducing usability
                  assumptions. In particular, password management
                  relies on assumptions about human memory, e.g.,
                  that a user who follows a particular rehearsal
                  schedule will successfully maintain the
                  corresponding memory. These assumptions are
                  informed by research in cognitive science and can
                  be tested empirically. Given rehearsal
                  requirements and a user’s visitation schedule
                  for each account, we use the total number of extra
                  rehearsals that the user would have to do to
                  remember all of his passwords as a measure of the
                  usability of the password scheme. Our usability
                  model leads us to a key observation: password
                  reuse benefits users not only by reducing the
                  number of passwords that the user has to memorize,
                  but more importantly by increasing the natural
                  rehearsal rate for each password. We also present
                  a security model which accounts for the complexity
                  of password management with multiple accounts and
                  associated threats, including online, offline, and
                  plaintext password leak attacks. Observing that
                  current password management schemes are either
                  insecure or unusable, we present Shared Cues—a
                  new scheme in which the underlying secret is
                  strategically shared across accounts to ensure
                  that most rehearsal requirements are satisfied
                  naturally while simultaneously providing strong
                  security. The construction uses the Chinese
                  Remainder Theorem to achieve these competing goals.},
        URL = {http://www.truststc.org/pubs/915.html}
    }
    

Posted by Carolyn Winter on 13 Nov 2013.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.