New Paradigms for Password Security ( abstract from the keynote lecture )

For the past several decades, cryptographers have consitently provided us with stronger and more capable primitives and protocols that have found many applications in security systems in everyday life. One of the central tenets of cryptographic design is that, whereas a system's architecture ought to be public and open to scrutiny, the keys on which it depends — long, utterly random, unique strings of bits — will be perfectly preserved by their owner, and yet nominally inaccessible to foes. This security model works well as long as one can assume the existence of an inviolate physical location or storage device to safeguard those keys. In client-server scenarios, the mere delocalization of the participants suffices to enforce a proper boundary without any further precaution. In proxy settings, one may call upon tamper-resistant " smart cards " or hardware security modules to isolate the keys adequately from most opponents. Things break down when one can no longer assume that an external storage medium is available to store our keys, and that the only option is to remember them in our minds. The problem, of course, is a cognitive one: the human brain is ill-equipped to remember hundreds of random bits of key material for the long term without making any mistake. The secrets that our brain is keen on remembering are those of our own choosing, which for all their apparent ran-domness and unpredictability can certainly not be mistaken nor substituted for genuine cryptographic keys. Security from purely mental secrets requires us at the very least to compromise on key strength — this encompassing both entropy and uniformity —, and seek the best reachable security goals based not on ideal random keys but on passwords of sub-cryptographic quality. Plain textual passwords and passphrases — or passtexts — have always been the preferred form of human-memorable secret, having the benefit of medium-independence which entails compatibility with virtually any conceivable user interface. More exotic mental secrets — passthoughts — may be based on visual or auditory recognition feedback; these are equivalent to passwords from a cryptographic perspective, but the specialized input device they require make them less practical. Secrets whose expression requires body action such as speech or ocular movements — passmoves — may also be envisaged given the proper measurement apparatus, with the proviso that the unavoidable measurement noise in the analog signal will have to be dealt with; we merely mention that …