Myphrase: Passwords from your Own Words

To improve manageability and strength of user-chosen passwords, we propose a multi-word password scheme called Myphrase. Contrary to the often-repeated but failed policy of banning common words as passwords, we encourage users to use words that are more personal to them—irrespective of the words being too common or esoteric. In Myphrase, a small dictionary is created from user-authored content such as sent emails and blogs. A master passphrase is constructed by randomly selecting words from the dictionary. We propose two variants as a trade-off between security and memorability; in random sequence, words are chosen uniformly across the dictionary, and in connected discourse, words are tagged using a part-of-speech engine and inserted appropriately into sentence templates. Words in the passphrase are expected to be easily recognizable to users and can be efficiently entered by leveraging the auto-suggest feature. Myphrase is designed to be compatible with both desktop and mobile platforms—a growing requirement for current authentication schemes. We create website-specific passwords from the master passphrase by salting the phrase with the site’s domain. To restrict offline attacks on the master passphrase from exposed site passwords, we require the passphrase to be of sufficient length (e.g., 6 words from a 1024-word dictionary, resulting in 60 bits of entropy in the random sequence variant). Entropy calculation for the connected discourse variant is less straightforward. We analyze Myphrase dictionaries and expected entropy of generated passphrases with two datasets: the Enron email corpus, and several popular books from Project Gutenberg. We also evaluate Myphrase using a recently proposed, slightly modified, framework of usability-deployability-security ratings, and seek feedback on our proof-of-concept prototypes available for both desktop and mobile platforms.

[1]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[2]  Mikhail J. Atallah,et al.  Passwords decay, words endure: secure and re-usable multiple password mnemonics , 2007, SAC '07.

[3]  George A. Miller,et al.  Introduction to WordNet: An On-line Lexical Database , 1990 .

[4]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[5]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[7]  Gordon D. A. Brown,et al.  Memory for familiar and unfamiliar words: Evidence for a long-term memory contribution to short-term memory span , 1991 .

[8]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[9]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[10]  Sudhir Aggarmal,et al.  Using probabilistic techniques to aid in password cracking attacks , 2010 .

[11]  Mary C. Potter,et al.  The regeneration of syntax in short term memory , 1992 .

[12]  A. Saykin,et al.  Functional differentiation of medial temporal and frontal regions involved in processing novel and familiar words: an fMRI study. , 1999, Brain : a journal of neurology.

[13]  Umut Topkara,et al.  Have the cake and eat it too - infusing usability into text-password based authentication systems , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[14]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[15]  George A. Miller,et al.  Human memory and the storage of information , 1956, IRE Trans. Inf. Theory.

[16]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[17]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[18]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[19]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[20]  Markus Jakobsson,et al.  Implicit authentication for mobile devices , 2009 .

[21]  Ben F. Barton,et al.  User-friendly password methods for computer-mediated information systems , 1984, Comput. Secur..

[22]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Sergei Nirenburg,et al.  Natural language processing for information assurance and security: an overview and implementations , 2001, NSPW '00.

[24]  Kemal Bicakci,et al.  Exploration and Field Study of a Browser-based Password Manager using Icon-based Passwords ? , 2011 .

[25]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[26]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[27]  Robert Biddle,et al.  User Study, Analysis, and Usable Security of Passwords Based on Digital Objects , 2011, IEEE Transactions on Information Forensics and Security.

[28]  M. Jakobsson Rethinking Passwords to Adapt to Constrained Keyboards , 2011 .

[29]  Sig Porter,et al.  A password extension for improved human factors , 1982, Comput. Secur..

[30]  Robert Biddle,et al.  Do you see your password?: applying recognition to textual passwords , 2012, SOUPS.

[31]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[32]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[33]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[34]  Radu Dragusin Data breach at IEEE.org: 100k plaintext passwords , 2012 .

[35]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[36]  Sidney L. Smith Authenticating users by word association , 1987, Comput. Secur..