Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues

Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. System-assigned passwords provide measurable security but suffer from poor memorability. To address this usability-security tension, we argue that systems should assign random passwords but also help with memorization and recall. We investigate the feasibility of this approach with CuedR, a novel cued-recognition authentication scheme that provides users with multiple cues (visual, verbal, and spatial) and lets them choose the cues that best fit their learning process for later recognition of system-assigned keywords. In our lab study, all 37 of our participants could log in within three attempts one week after registration (mean login time: 38.0 seconds). A pilot study on using multiple CuedR passwords also showed 100% recall within three attempts. Based on our results, we suggest appropriate applications for CuedR, such as financial and e-commerce accounts.

[1]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[2]  Elizabeth Stobert,et al.  Memory retrieval and graphical passwords , 2013, SOUPS.

[3]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[4]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[5]  Nasir D. Memon,et al.  Modeling user choice in the PassPoints graphical password scheme , 2007, SOUPS '07.

[6]  Alain Forget,et al.  Persuasion for Stronger Passwords: Motivation and Pilot Study , 2008, PERSUASIVE.

[7]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[8]  Julie Thorpe,et al.  Analyzing User Choice in Graphical Passwords , 2004 .

[9]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[10]  Alain Forget,et al.  Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism , 2012, IEEE Transactions on Dependable and Secure Computing.

[11]  Sunny Consolvo,et al.  "My religious aunt asked why i was trying to sell her viagra": experiences with account hijacking , 2014, CHI.

[12]  James Nicholson,et al.  Age-related performance issues for PIN and face-based authentication systems , 2013, CHI.

[13]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[14]  Serge Egelman,et al.  It's No Secret. Measuring the Security and Reliability of Authentication via “Secret” Questions , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[15]  Michael Weber,et al.  Exploring the design space of graphical passwords on smartphones , 2013, SOUPS.

[16]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[17]  Endel Tulving,et al.  Continuity between recall and recognition. , 1973 .

[18]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[19]  V. S. Reed,et al.  Learning to Order Pictures and Words: A Model of Sensory and Semantic Encoding. , 1977 .

[20]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[21]  Nasir D. Memon,et al.  Authentication using graphical passwords: effects of tolerance and image choice , 2005, SOUPS '05.

[22]  Julie Thorpe,et al.  Usability and security evaluation of GeoPass: a geographic location-password scheme , 2013, SOUPS.

[23]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[24]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[25]  Alain Forget,et al.  User interface design affects security: patterns in click-based graphical passwords , 2009, International Journal of Information Security.

[26]  Mahdi N. Al-Ameen,et al.  A Comprehensive Study of the GeoPass User Authentication Scheme , 2014, ArXiv.

[27]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[28]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[29]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[30]  Robert Biddle,et al.  Facing the facts about image type in recognition-based graphical passwords , 2011, ACSAC '11.

[31]  Karen Renaud A Visuo-Biometric Authentication Mechanism for Older Users , 2005, BCS HCI.

[32]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[33]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[34]  Dennis J. Delprato,et al.  Mind and Its Evolution: A Dual Coding Theoretical Approach , 2009 .

[35]  John R. Anderson,et al.  RECOGNITION AND RETRIEVAL PROCESSES IN FREE RECALL , 1972 .

[36]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[37]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[38]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[39]  D. Norman,et al.  Strength models and serial position in short-term recognition memory ☆ , 1966 .

[40]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[41]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[42]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[43]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[44]  Endel Tulving,et al.  Encoding specificity and retrieval processes in episodic memory. , 1973 .

[45]  Robert Biddle,et al.  A second look at the usability of click-based graphical passwords , 2007, SOUPS '07.

[46]  Robert Biddle,et al.  Graphical Password Authentication Using Cued Click Points , 2007, ESORICS.

[47]  N. Mookhambika,et al.  PERSUASIVE CUED CLICK-POINTS: DESIGN, IMPLEMENTATION & EVALUATION OF KNOWLEDGE BASED AUTHENTICATION MECHANISM , 2013 .

[48]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.