LociMotion: Towards Learning a Strong Authentication Secret in a Single Session

In this work, we design and evaluate LociMotion, a training interface to learn a strong authentication secret in a single session. LociMotion automatically takes a random password with twelve lowercase letters (56-bit entropy) to generate the training interface. It first leverages users’ spatial and visual (declarative) memory by showing them a video clip based on the method of loci, and then consolidates the learning process by having them play a computer game that leverages their motor (procedural) memory. The results of a memorability study with 300 participants showed that LociMotion had a significantly higher recall success rate than a control condition. A second study with 200 participants demonstrated the effectiveness of LociMotion over a period of time (99%, 96%, and 81% recall success rates after 1, 4, and 18 days, respectively). LociMotion offers an alternative to the spaced repetition technique, as it does not require dozens of training sessions.

[1]  Julie Thorpe,et al.  Reinforcing System-Assigned Passphrases Through Implicit Learning , 2018, CCS.

[2]  E. Maguire,et al.  The Human Hippocampus and Spatial and Episodic Memory , 2002, Neuron.

[3]  R. Ganesan,et al.  A New Attack on Random Pronounceable Password Generators Ganesan and Davies A New Attack on Random Pronounceable Password Generators , 1994 .

[4]  Jun Ho Huh,et al.  Surpass: System-initiated User-replaceable Passwords , 2015, CCS.

[5]  Rakesh Bobba,et al.  On the Memorability of System-generated PINs: Can Chunking Help? , 2015, SOUPS.

[6]  Michael T. Ullman,et al.  The biocognition of the mental lexicon , 2007 .

[7]  Claude Castelluccia,et al.  Towards Implicit Visual Memory-Based Authentication , 2017, NDSS.

[8]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[9]  J. Richardson,et al.  The efficacy of imagery mnemonics in memory remediation , 1995, Neuropsychologia.

[10]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[11]  Hermann Ebbinghaus (1885) Memory: A Contribution to Experimental Psychology , 2013, Annals of Neurosciences.

[12]  Dan Boneh,et al.  Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks , 2012, USENIX Security Symposium.

[13]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[14]  Matthew K. Wright,et al.  Hierarchy of users' web passwords: Perceptions, practices and susceptibilities , 2014, Int. J. Hum. Comput. Stud..

[15]  Jeff Yan,et al.  Do background images improve "draw a secret" graphical passwords? , 2007, CCS '07.

[16]  J. Krakauer,et al.  Consolidation of motor memory , 2006, Trends in Neurosciences.

[17]  Deborah S. Carstens,et al.  Applying Chunking Theory in Organizational Password Guidelines , 2006 .

[18]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[19]  M. Ullman Contributions of memory circuits to language: the declarative/procedural model , 2004, Cognition.

[20]  J. Williamson,et al.  The art of memory , 2019, The Lancet Neurology.

[21]  M. Ullman The role of declarative and procedural memory in disorders of language , 2013 .

[22]  Daniel J. Sanchez,et al.  Performing the unexplainable: Implicit task performance reveals individually reliable sequence learning without explicit knowledge , 2010, Psychonomic bulletin & review.

[23]  Matthew K. Wright,et al.  Passwords and interfaces: towards creating stronger passwords by using mobile phone handsets , 2013, SPSM '13.

[24]  Shannon Scielzo,et al.  Learning System-assigned Passwords (up to 56 Bits) in a Single Registration Session with the Methods of Cognitive Psychology , 2017 .

[25]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[26]  Hongtu Zhu,et al.  A slice of π : An exploratory neuroimaging study of digit encoding and retrieval in a superior memorist , 2009, Neurocase.

[27]  Heinrich Hußmann,et al.  Investigating the Third Dimension for Authentication in Immersive Virtual Reality and in the Real World , 2019, 2019 IEEE Conference on Virtual Reality and 3D User Interfaces (VR).

[28]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[29]  Liyan Song,et al.  Digital Game-Based Learning , 2014 .

[30]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[31]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[32]  Ceenu George,et al.  GazeRoomLock: Using Gaze and Head-Pose to Improve the Usability and Observation Resistance of 3D Passwords in Virtual Reality , 2020, AVR.

[33]  Ulman Lindenberger,et al.  On the range of cognitive plasticity in old age as a function of experience: 15 years of intervention research , 1988 .

[34]  Matthew K. Wright,et al.  Applying Psychometrics to Measure User Comfort when Constructing a Strong Password , 2014, SOUPS.

[35]  Jason I. Hong,et al.  The Memory Palace: Exploring Visual-Spatial Paths for Strong, Memorable, Infrequent Authentication , 2019, UIST.

[36]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[37]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[38]  E. Maguire,et al.  Routes to remembering: the brains behind superior memory , 2003, Nature Neuroscience.

[39]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[40]  Mahdi Nasrullah Al-Ameen,et al.  Multiple-Password Interference in the GeoPass User Authentication Scheme , 2015 .

[41]  Mahdi N. Al-Ameen,et al.  Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues , 2015, CHI.

[42]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[43]  R. Poldrack,et al.  Competition among multiple memory systems: converging evidence from animal and human brain studies , 2003, Neuropsychologia.

[44]  J A Yesavage,et al.  Imagery pretraining and memory training in the elderly. , 1983, Gerontology.

[45]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[46]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[47]  James Nicholson,et al.  Age-related performance issues for PIN and face-based authentication systems , 2013, CHI.

[48]  Angus Wilson,et al.  The psychology of study , 1964 .

[49]  Lorrie Faith Cranor,et al.  Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords , 2015, NDSS.

[50]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[51]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[52]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[53]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[54]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[55]  Raja Parasuraman,et al.  Neuroergonomics: The Brain at Work , 2006 .

[56]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.