research-article

Isn't that Fantabulous: Security, Linguistic and Usability Challenges of Pronounceable Tokens

Authors:

Andrew M. White,

Katherine Shaw,

Fabian Monrose,

Elliott MoretonAuthors Info & Claims

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

Pages 25 - 38

https://doi.org/10.1145/2683467.2683470

Published: 15 September 2014 Publication History

Abstract

Over the past few decades, passwords as a means of user authentication have been consistently criticized by users and security analysts alike. However, password-based systems are ubiquitous and entrenched in modern society-users understand how to use them, system administrators are intimately familiar with their operation, and many robust frameworks exist to make deploying passwords simple. Unfortunately, much of the formal research on user authentication has focused on attempting to provide alternatives (e.g., biometrics) to password-based mechanisms (or belated analyses of users' password choices), forcing administrators to use ad-hoc methods in attempts to improve security. This practice has lead to user frustration and inflated estimates of system security. We challenge common wisdom and re-examine whether pronounceable authentication strings might indeed offer a more reasonable alternative to traditional passwords. We argue that pronounceable authentication strings can lead to both improved system security and a decreased burden on users. To re-examine this potential, we explore questions related to how one might develop techniques for rating the pronounceability of word-like strings, and in doing so, enable one to quantify pronunciation difficulty. Armed with such an understanding, we posit new directions for generating usable passwords which are pronounceable and, we hope, memorable, hint-able and resistant to attack.

References

[1]

Native speakers in greater detail, May 2013. Retrieved July 30, 2014 from http://testyourvocab.com/blog/2013-05-08-Native-speakers-in-greater-detail.

[2]

S. Ahn. A constraint-based analysis of Korean blends. Master's thesis, Seoul National University, 2012.

[3]

S. Ahn. Faithfulness conflict in Korean blends. University of Pennsylvania Working Papers in Linguistics, 20 (1): 1--10, 2013.

[4]

M. Al-Hamly and M. Farghal. English reduced forms in Arabic scientific translation: a case study. Jordan Journal of Modern Languages and Literature, 5 (1): 1--18, 2013.

[5]

J. Algeo. Blends, a structural and systemic view. American Speech, 52 (1/2): 47--64, 1977.

[6]

G. F. Arcodia and F. Montermini. Are reduced compounds compounds' Morphological and prosodic properties of reduced compounds in Russian and Mandarin Chinese. In V. Renner, F. Maniez, and P. J. L. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, pages 94--113. de Gruyter Mouton, Berlin, 2012.

[7]

S. Arndt-Lappe and I. Plag. Phonological variability in English blends. Handout from the Workshop on Data-Rich Approaches to English Morphology, Victoria University, Wellington, New Zealand, July 4--6 2012.

[8]

S. Arndt-Lappe and I. Plag. The role of prosodic structure in the formation of English blends. English Language and Linguistics, 17 (3): 537--563, 2013.

[9]

R. Baayen, R. Piepenbrock, and L. Gulikers. CELEX2 LDC96L14. Web Download. Philadelphia: Linguistic Data Consortium, 1995.

[10]

T. Bailey and U. Hahn. Determinants of wordlikeness: Phonotactics or lexical neighborhoods. Journal of Memory and Language, 44 (4): 568--591, May 2001.

[11]

S. Bartlett, G. Kondrak, and C. Cherry. On the syllabification of phonemes. In Proceedings of Human Language Technologies, 2009.

Digital Library

[12]

O. Bat-El. Selecting the best of the worst: the grammar of Hebrew blends. Phonology, 13: 283--328, 1996.

[13]

O. Bat-El. Blend. In K. Brown, editor, The Encyclopedia of Language and Linguistics, volume 2, pages 66--70. Elsevier, Oxford, England, 2nd edition, 2006.

[14]

O. Bat-El and E.-G. Cohen. Stress in English blends: a constraint-based approach. In V. Renner, F. Maniez, and P. J. L. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, pages 193--211. de Gruyter Mouton, Berlin, 2012.

[15]

P. M. Bertinetto. Blends and syllable structure: a four-fold comparison. In M. Lorente, N. Alturo, E. Boix, M. R. Loret, and L. Payrató, editors, La gramàtica i la semàntica per a l'estudi de la variació. PPU-Secció de Lingüística Catalana de la Universitat de Barcelona, Barcelona, 2001.

[16]

K. Bicakci and P. C. van Oorschot. A multi-word password proposal (gridword) and exploring questions about science in security research and usable security evaluation. In Workshop on New Security Paradigms, 2011.

Digital Library

[17]

R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44 (4): 19:1--19:41, Sept. 2012.

Digital Library

[18]

M. Bisani and H. Ney. Joint-sequence models for grapheme-to-phoneme conversion. Speech Communication, 50 (5): 434--451, May 2008.

Digital Library

[19]

S. Bolozky. Measuring productivity in word formation: The case of Israeli Hebrew. Brill, 1999.

[20]

J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In IEEE Symposium on Security & Privacy, 2012.

Digital Library

[21]

J. Bonneau and E. Shutova. Linguistic properties of multi-word passphrases. In Workshop on Usable Security, 2012.

Digital Library

[22]

J. Bonneau, M. Just, and G. Matthews. What's in a name? In Financial Cryptography and Data Security, volume 6052 of Lecture Notes in Computer Science, pages 98--113. Springer, 2010.

Digital Library

[23]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symposium on Security & Privacy, 2012.

Digital Library

[24]

S. R. Borgwaldt, T. Kulish, and A. Bose. Ukrainian blends: elicitation paradigm and structural analysis. In V. Renner, F. Maniez, and P. J. L. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, pages 75--92. de Gruyter Mouton, Berlin, 2012.

[25]

J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers & Security, 16 (7): 629--641, 1997.

Digital Library

[26]

G. Cannon. Blends in English word formation. Linguistics, 24: 725--753, 1986.

[27]

S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In ACM Conference on Computer and Communications Security, 2009.

Digital Library

[28]

H. Crawford and J. Aycock. Kwyjibo: automatic domain name generation. Software: Practice and Experience, 2008.

Digital Library

[29]

D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical passwords schemes. In USENIX Security Symposium, 2004.

Digital Library

[30]

G. A. de Araújo. Morfologia n\ ao-concatenativa em português: os portmanteaux. Cadernos de Estudos Lingü\'ısticos, 39: 5--21, 2000.

[31]

S. Fahl, M. Harbach, Y. Acar, and M. Smith. On the ecological validity of a password study. In Symposium on Usable Security and Privacy, 2013.

Digital Library

[32]

D. Florêncio, C. Herley, and P. C. van Oorschot. An administrator\textquoterights guide to internet password research. In Large Installation System Administration Conference. USENIX Association, Nov. 2014. Forthcoming.

Digital Library

[33]

R. Ganesan and C. Davies. A new attack on random pronounceable password generators. In NIST National Computer Security Conference (NCSC), 1994.

[34]

M. Gasser. A random word generator for pronouncable passwords. Technical Report MTR-3006, MITRE Corporation, 1975.

[35]

Gathercole, Frankish, Picering, and Peaker}GathercoleEtAl:1999aS. E. Gathercole, C. R. Frankish, S. J. Picering, and S. Peaker. Phonotactic influences on short-term memory. Journal of Experimental Psychology: Learning, Memory, and Cognition, 25 (1): 84--95, 1999\natexlaba.

[36]

Gathercole, Frankish, Picering, and Peaker}GathercoleEtAl:1999bS. E. Gathercole, C. R. Frankish, S. J. Picering, and S. Peaker. Correction to Gathercole et al. (1999). Journal of Experimental Psychology: Learning, Memory, and Cognition, 25 (3): 562, 1999\natexlabb.

[37]

M. Gibson, K. Renaud, M. Conrad, and C. Maple. Musipass: authenticating me softly with "my" song. In Workshop on New Security Paradigms, 2009.

Digital Library

[38]

S. T. Gries. Isn't that fantabulous? How similarity motivates intentional morphological blends in English. In M. Acard and S. Kemmer, editors, Language, Culture, and Mind, chapter 28, pages 415--428. CSLI Publications, Stanford, California, 2004\natexlaba.

[39]

S. T. Gries. Shouldn't it be breakfunch? A quantitative analysis of blend structure in English. Linguistics, 42 (3): 639--667, 2004\natexlabb.

[40]

F. Grosjean and U. Frauenfelder. A guide to spoken word recognition paradigms: Introduction. Language and Cognitive Processes, 11 (6): 553--558, 1996.

[41]

U. Hahn and T. M. Bailey. What makes words sound similar? Cognition, 97: 227--267, 2005.

[42]

C. Herley. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Workshop on New Security Paradigms, 2009.

Digital Library

[43]

C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy Magazine, 10 (1): 28--36, 2012.

Digital Library

[44]

B. E. Huitema. Analysis of covariance (ANCOVA). In K. R. Neil J. Salkind, editor, Encyclopedia of Measurement and Statistics. Sage Publications, Inc., 2007.

[45]

M. Ichino, H. Sakano, and N. Komatsu. Multimodal biometrics of lip movements and voice using kernel fisher discriminant analysis. In International Conference on Control, Automation, Robotics and Vision, 2006.

[46]

P. G. Inglesant and M. A. Sasse. The true cost of unusable password policies. In SIGCHI Conference on Human Factors in Computing Systems, 2010.

Digital Library

[47]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security & Privacy, 2012.

Digital Library

[48]

M. H. Kelly. To "brunch" or to "brench": some aspects of blend structure. Linguistics, 36 (3): 579--590, 1998.

[49]

S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In SIGCHI Conference on Human Factors in Computing Systems, 2011.

Digital Library

[50]

G. Kondrak and B. Dorr. Automatic identification of confusable drug names. Artificial Intelligence in Medicine, 36 (1): 29--42, 2006.

Digital Library

[51]

E. Konieczna. Lexical blending in Polish: a result of the internationalisation of Slaic languages. In V. Renner, F. Maniez, and P. J. L. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, pages 51--73. de Gruyter Mouton, Berlin, 2012.

[52]

J. B. Kruskal. An overview of sequence comparison: time warps, string edits, and macromolecules. SIAM Review, 25 (2): 201--237, 1983.

Digital Library

[53]

H. Kubozono. The mora and syllable structure in Japanese: evidence from speech errors. Language and Speech, 32 (3): 249--278, 1989.

[54]

C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Symposium on Usable Security and Privacy, 2006.

Digital Library

[55]

M. D. Leonhard and V. Venkatakrishnan. A comparative study of three random password generators. In IEEE International Conference on Electro/Information Technology, 2007.

[56]

A. Léturgie. Un cas d'extragrammaticalité particulier: les amalgames lexicaux fantaisistes. Linguistica, 51: 87--104, 2011.

[57]

M. P. Lewis, G. F. Simons, and C. D. Fennig. Ethnologue: Languages of the world, 2014. Retrieved October 28, 2014 from http://www.ethnologue.com/statistics/size.

[58]

P. A. Luce. Neighborhoods of words in the mental lexicon. PhD thesis, Indiana University, 1986.

[59]

S. Majerus, M. Van der Linden, L. Mulder, T. Meulmans, and F. Peters. Verbal short-term memory reflects the sublexical organization of the phonological language network: evidence from an incidental phonotactic learning paradigm. Journal of Memory and Language, 51: 297--306, 2004.

[60]

M. H. Messer, P. P. M. Leserman, J. Boom, and A. Y. Mayo. Phonotactic probability effect in nonword recall and its relationship with vocabulary in monolingual and bilingual preschoolers. Journal of Experimental Child Psychology, 105 (4): 306--323, 2010.

[61]

J. H. Neely. Semantic priming effects in visual word recognition: a selective review of current findings and theories. In Basic processes in reading: visual word recognition, pages 264--336. 1991.

[62]

NIST. Automated Password Generator (APG). Technical report, 1993.

[63]

M. Ohala. The syllable in Hindi. In H. van der Hulst and N. Ritter, editors, The syllable: views and facts, chapter 5, pages 93--111. Walter de Gruyter, 1999.

[64]

C. E. Piñeros. The creation of portmanteaus in the extragrammatical morphology of Spanish. Probus, 16 (2): 203--240, 2004.

[65]

J. O. Pliam. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Progress in Cryptology - INDOCRYPT, volume 1977 of Lecture Notes in Computer Science, pages 67--79. 2000.

Digital Library

[66]

S. N. Porter. A password extension for improved human factors. Computers & Security, 1 (1): 54--56, 1982.

[67]

A. Rabkin. Personal knowledge questions for fallback authentication. In Symposium on Usable Security and Privacy, 2008.

Digital Library

[68]

A. Ralli and G. J. Xydopoulos. Blend formation in Modern Greek. In V. Renner, F. Maniez, and P. J. L. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, pages 35--50. de Gruyter Mouton, Berlin, 2012.

[69]

E. Ronneberger-Sibold. Blending between grammar and universal cognitive principles: evidence from German, Farsi, and Chinese. In V. Renner, F. Maniez, and P. Arnaud, editors, Cross-disciplinary perspectives on lexical blending, number 252 in Trends in Linguistics/Studies and monographs, pages 115--143. de Gruyter, 2012.

[70]

S. Schechter, A. B. Brush, and S. Egelman. It's no secret. measuring the security and reliability of authentication via ‘secret' questions. In IEEE Symposium on Security & Privacy, 2009.

Digital Library

[71]

I. W. Schmidt, I. J. Berg, and B. G. Deelman. Relations between subjective evaluations of memory and objective memory performance. Perceptual and Motor Skills, 93 (3), 2001.

[72]

K. E. Shaw. Head faithfulness in lexical blends: A positional approach to blend formation. Master's thesis, 2013.

[73]

K. E. Shaw, A. M. White, E. Moreton, and F. Monrose. Emergent faithfulness to morphological and semantic heads in lexical blends. In J. Kingston, C. Moore-Cantwell, J. Pater, and R. Staubs, editors, Proceedings of 2013 Meetings on Phonology, Washington, DC, 2014. Linguistic Society of America.

[74]

R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements. In Symposium on Usable Security and Privacy, 2010.

Digital Library

[75]

R. Shay, P. G. Kelley, S. Komanduri, M. L. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Symposium on Usable Security and Privacy, 2012.

Digital Library

[76]

S. L. Smith. Authenticating users by word association. Computers & Security, 6 (6): 464--470, 1987.

Digital Library

[77]

A. Somayaji, D. Mould, and C. Brown. Towards narrative authentication: or, against boring authentication. In Workshop on New Security Paradigms, 2013.

Digital Library

[78]

S. L. Thompson-Schill, K. J. Kurtz, and J. D. E. Gabrieli. Effects of semantic and associative relatedness on automatic priming. Journal of Memory and Language, 38: 440--458, 1998.

[79]

A. S. C. Thorn and C. R. Frankish. Long-term knowledge effects on serial recall of nonwords are not exclusively lexical. Journal of Experimental Psychology: Learning, Memory, and Cognition, 31 (4): 729--735, 2005.

[80]

J. Thorpe, P. C. van Oorschot, and A. Somayaji. Pass-thoughts: authenticating with our minds. In Workshop on New Security Paradigms, 2005.

Digital Library

[81]

J. Thorpe, A. Salehi-Abari, and R. Burden. Video-passwords: advertising while authenticating. In Workshop on New Security Paradigms, 2012.

Digital Library

[82]

R. Treiman. The structure of spoken syllables: evidence from novel word games. Cognition, 15: 49--74, 1983.

[83]

R. Treiman. The division between onsets and rimes in english syllables. Journal of Memory and Language, 25: 476--491, 1986.

[84]

R. Treiman, B. Kessler, S. Knewasser, R. Tincoff, and M. Bowman. English speakers' sensitivity to phonotactic patterns. In Papers in Laboratory Phonology V: Acquisition and the Lexicon, pages 269--282. 2000.

[85]

TV Tropes Foundation. Television tropes and idioms: Portmanteau couple name, 2012. Retrieved November 11, 2012 from http://tvtropes.org/pmwiki/pmwiki.php/Main/PortmanteauCoupleName.

[86]

R. Weide. The Carnegie Mellon pronouncing dictionary, 1998. URL http://www.speech.cs.cmu.edu/cgi-bin/cmudict.

[87]

M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In ACM Conference on Computer and Communications Security, 2010.

Digital Library

[88]

A. M. White, K. Z. Snow, A. Matthews, and F. Monrose. Hookt on fon-iks: Phonotactic Reconstruction of Encrypted VoIP Conversations. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[89]

Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration. In ACM Conference on Computer and Communications Security, 2010.

Digital Library

[90]

P. Zimmermann, A. Johnston, and J. Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189, 2011. URL http://www.ietf.org/rfc/rfc6189.txt.

[91]

M. Zviran and W. J. Haga. Cognitive passwords: The key to easy access control. Computers & Security, 9 (8): 723--736, 1990.

Digital Library

[92]

M. Zviran and W. J. Haga. Password security: an empirical study. Management Information Systems, 15 (4): 161--185, 1999.

Digital Library

Cited By

Woo S(2020)How Do We Create a Fantabulous Password?Proceedings of The Web Conference 202010.1145/3366423.3380222(1491-1501)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380222
Forget AChiasson SBiddle R(2015)User-centred authentication feature frameworkInformation & Computer Security10.1108/ICS-08-2014-005823:5(497-515)Online publication date: 9-Nov-2015
https://doi.org/10.1108/ICS-08-2014-0058

Index Terms

Isn't that Fantabulous: Security, Linguistic and Usability Challenges of Pronounceable Tokens
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

PassPoints: design and longitudinal evaluation of a graphical password system
Special isssue: HCI research in privacy and security is critical now

Computer security depends largely on passwords to authenticate human users. However, users have difficulty remembering passwords over time if they choose a secure password, i.e. a password that is long and random. Therefore, they tend to choose short ...
A second look at the usability of click-based graphical passwords
SOUPS '07: Proceedings of the 3rd symposium on Usable privacy and security

Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the ...
Design and evaluation of a shoulder-surfing resistant graphical password scheme
AVI '06: Proceedings of the working conference on Advanced visual interfaces

When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual's authentication session. This is referred to as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

September 2014

148 pages

ISBN:9781450330626

DOI:10.1145/2683467

General Chairs:
Konstantin Beznosov
University of British Columbia, Canada
,
Anil Somayaji
Carleton University, Canada
,
Program Chairs:
Tom Longstaff
Johns Hopkins University, USA
,
Paul Van Oorschot
Carleton University, Canada

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 September 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

NSPW '14

Sponsor:

ACSA

NSPW '14: New Security Paradigms Workshop

September 15 - 18, 2014

British Columbia, Victoria, Canada

Acceptance Rates

NSPW '14 Paper Acceptance Rate 11 of 32 submissions, 34%;

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
162
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Woo S(2020)How Do We Create a Fantabulous Password?Proceedings of The Web Conference 202010.1145/3366423.3380222(1491-1501)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1145/3366423.3380222
Forget AChiasson SBiddle R(2015)User-centred authentication feature frameworkInformation & Computer Security10.1108/ICS-08-2014-005823:5(497-515)Online publication date: 9-Nov-2015
https://doi.org/10.1108/ICS-08-2014-0058

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents