Optiwords: A new password policy for creating memorable and strong passwords

Abstract User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

[1]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[2]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[3]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[4]  Zhenfeng Zhang,et al.  LPSE: Lightweight password-strength estimation for password meters , 2018, Comput. Secur..

[5]  Mark A. Oakes,et al.  The movement-induced self-reference effect: enhancing memorability through movement toward the self , 2017, Cognitive Processing.

[6]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[7]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[8]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[9]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[10]  Dennis J. Delprato,et al.  Mind and Its Evolution: A Dual Coding Theoretical Approach , 2009 .

[11]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[12]  Mikko T. Siponen,et al.  Too many passwords? How understanding our memory can increase password memorability , 2018, Int. J. Hum. Comput. Stud..

[13]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[14]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Jega Anish Dev Usage of botnets for high speed MD5 hash cracking , 2013 .

[16]  Mahdi N. Al-Ameen,et al.  Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues , 2015, CHI.

[17]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[18]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[19]  Lorrie Faith Cranor,et al.  Telepathwords: Preventing Weak Passwords by Reading Users' Minds , 2014, USENIX Security Symposium.

[20]  Jun Ho Huh,et al.  On the Effectiveness of Pattern Lock Strength Meters: Measuring the Strength of Real World Pattern Locks , 2015, CHI.

[21]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[23]  Ziming Zhao,et al.  Picture Gesture Authentication , 2015, ACM Trans. Inf. Syst. Secur..

[24]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[25]  Ping Wang,et al.  The Emperor's New Password Creation Policies: An Evaluation of Leading Web Services and the Effect of Role in Resisting Against Online Guessing , 2015, ESORICS.

[26]  Mohammad Mannan,et al.  A Large-Scale Evaluation of High-Impact Password Strength Meters , 2015, TSEC.

[27]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  Jeffrey D. Karpicke,et al.  The Critical Importance of Retrieval for Learning , 2008, Science.

[29]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[30]  David J. Hauser,et al.  Attentive Turkers: MTurk participants perform better on online attention checks than do subject pool participants , 2015, Behavior Research Methods.

[31]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[32]  Linda L. Price,et al.  The Role of Imagery in Information Processing: Review and Extensions , 1987 .

[33]  Lei Zhang,et al.  An empirical study of mnemonic password creation tips , 2019, Comput. Secur..

[34]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[35]  Jun Ho Huh,et al.  Surpass: System-initiated User-replaceable Passwords , 2015, CCS.

[36]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[37]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[38]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[39]  Ting Wang,et al.  PARS: A Uniform and Open-source Password Analysis and Research System , 2015, ACSAC 2015.

[40]  Sharath Pankanti,et al.  Biometrics: a tool for information security , 2006, IEEE Transactions on Information Forensics and Security.

[41]  Krista Casler,et al.  Separate but equal? A comparison of participants and data gathered via Amazon's MTurk, social media, and face-to-face behavioral testing , 2013, Comput. Hum. Behav..

[42]  John Dunlosky,et al.  Improving Students’ Learning With Effective Learning Techniques: Promising Directions From Cognitive and Educational Psychology , 2012 .

[43]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[44]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[45]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[46]  Ping Wang,et al.  Zipf’s Law in Passwords , 2017, IEEE Transactions on Information Forensics and Security.

[47]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[48]  Julie Thorpe,et al.  Reinforcing System-Assigned Passphrases Through Implicit Learning , 2018, CCS.

[49]  Sudhir Aggarwal,et al.  Next Gen PCFG Password Cracking , 2015, IEEE Transactions on Information Forensics and Security.

[50]  Ping Wang,et al.  fuzzyPSM: A New Password Strength Meter Using Fuzzy Probabilistic Context-Free Grammars , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[51]  Jeff Boleng,et al.  Visualizing Keyboard Pattern Passwords , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[52]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[53]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[54]  Heinrich Hußmann,et al.  PassShape: stroke based shape passwords , 2007, OZCHI '07.

[55]  Marguerite Bullock,et al.  Some of the Factors Determining the Attitude of Freshman Women at the University of Oregon Toward Required Physical Education , 1933 .

[56]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.