research-article

An Empirical Study of Mnemonic Sentence-based Password Generation Strategies

Authors:

Omar Chowdhury,

Robert W. ProctorAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1216 - 1229

https://doi.org/10.1145/2976749.2978346

Published: 24 October 2016 Publication History

Abstract

Mnemonic strategy has been recommended to help users generate secure and memorable passwords. We evaluated the security of $6$ mnemonic strategy variants in a series of online studies involving $5,484$ participants. In addition to applying the standard method of using guess numbers or similar metrics to compare the generated passwords, we also measured the frequencies of the most commonly chosen sentences as well as the resulting passwords. While metrics similar to guess numbers suggested that all variants provided highly secure passwords, statistical metrics told a different story. In particular, differences in the exact instructions had a tremendous impact on the security level of the resulting passwords. We examined the mental workload and memorability of 2 mnemonic strategy variants in another online study with $752$ participants. Although perceived workloads for the mnemonic strategy variants were higher than that for the control group where no strategy is required, no significant reduction in password recall after $1$ week was obtained.

References

[1]

Passwords, 2009. http://wiki.skullsecurity.org/Passwords.

[2]

xkcd password generator, 2011. http://preshing.com/20110811/xkcd-password-generator.

[3]

A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40--46, 1999.

Digital Library

[4]

M. C. Anderson and J. H. Neely. Memory, chapter Interference and inhibition in memory retrieval, pages 237--313. Academic Press, 1996.

[5]

J. Blocki, M. Blum, and A. Datta. Naturally Rehearsing Passwords, pages 361--380. Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.

[6]

J. Blocki, S. Komanduri, L. F. Cranor, and A. Datta. Spaced repetition and mnemonics enable recall of multiple strong passwords. In 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8--11, 2015, 2015.

[7]

J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of IEEE Symposium on Security and Privacy, pages 538--552. IEEE, 2012.

Digital Library

[8]

J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 553--567. IEEE, 2012.

Digital Library

[9]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. Passwords and the evolution of imperfect authentication. Commun. ACM, 58(7):78--87, June 2015.

Digital Library

[10]

J. Bonneau and S. Schechter. Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium, August 2014.

Digital Library

[11]

S. Boztas. Entropies, guessing, and cryptography. Technical Report 6, Department of Mathematics, Royal Melbourne Institute of Technology, 1999.

[12]

S. Brostoff and M. A. Sasse. "ten strikes and you're out": Increasing the number of login attempts can improve password usability. In HCISEC Workshop, 2003.

[13]

M. Buhrmester, T. Kwang, and S. D. Gosling. Amazon's mechanical turk a new source of inexpensive, yet high-quality, data? Perspectives on Psychological Science, 6(1):3--5, 2011.

[14]

S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In Proceedings of the 15th Conference on USENIX Security Symposium - Volume 15, 2006.

Digital Library

[15]

S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of CHI, pages 2379--2388, 2013.

Digital Library

[16]

K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno. A comprehensive study of frequency, interference, and training of multiple graphical passwords. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '09, pages 889--898, New York, NY, USA, 2009. ACM.

Digital Library

[17]

A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In Proceedings of SOUPS, pages 1--12, 2008.

Digital Library

[18]

S. G. Hart and L. E. Staveland. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research, volume 52, pages 139--183. Elsevier, 1988.

[19]

C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28--36, 2012.

Digital Library

[20]

J. H. Huh, S. Oh, H. Kim, K. Beznosov, A. Mohan, and S. R. Rajagopalan. Surpass: System-initiated user-replaceable passwords. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 170--181. ACM, 2015.

Digital Library

[21]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE Symposium on Security and Privacy, pages 523--537, 2012.

Digital Library

[22]

S. Komanduri, R. Shay, L. F. Cranor, C. Herley, and S. Schechter. Telepathwords: Preventing weak passwords by reading users\textquoteright minds. In 23rd USENIX Security Symposium (USENIX Security 14), pages 591--606, San Diego, CA, Aug. 2014. USENIX Association.

Digital Library

[23]

S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In CHI, pages 2595--2604, 2011.

Digital Library

[24]

C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Proceedings of the second symposium on Usable privacy and security, pages 67--78. ACM, 2006.

Digital Library

[25]

Z. Li, W. He, D. Akhawe, and D. Song. The emperor's new password manager: Security analysis of web-based password managers. In 23rd USENIX Security Symposium (USENIX Security 14), pages 465--479, Aug. 2014.

Digital Library

[26]

J. Ma, W. Yang, M. Luo, and N. Li. A study of probabilistic password models. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 689--704. IEEE, 2014.

Digital Library

[27]

M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur. Measuring password guessability for an entire university. In Proceedings of ACM CCS, pages 173--186, Berlin, Germany, 2013. ACM.

Digital Library

[28]

R. Morris and K. Thompson. Password security: A case history. Communications of the ACM, 22(11):594--597, 1979.

Digital Library

[29]

K. Scarfone and M. Souppaya. Guide to enterprise password management (draft), Apr. 2009. NIST Special Publication 800--118 (Draft).

[30]

S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of HotSec, pages 1--8, 2010.

Digital Library

[31]

B. Schneier. Passwords are not broken, but how we choose them sure is, Nov. 2008. The Guardian.

[32]

B. Schneier. Choosing secure passwords, 2014. https://www.schneier.com/ blog/ archives/ 2014/ 03/ choosing_secure_1.html.

[33]

R. Shay, L. Bauer, N. Christin, L. F. Cranor, A. Forget, S. Komanduri, M. L. Mazurek, W. Melicher, S. M. Segreti, and B. Ur. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In CHI'15: 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, Apr. 2015.

Digital Library

[34]

R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor. Can long passwords be secure and usable? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '14, pages 2927--2936, New York, NY, USA, 2014. ACM.

Digital Library

[35]

R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, pages 2:1--2:20, New York, NY, USA, 2010. ACM.

Digital Library

[36]

D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson. Password managers: Attacks and defenses. In 23rd USENIX Security Symposium (USENIX Security 14), pages 449--464, Aug. 2014.

Digital Library

[37]

B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How does your password measure up? the effect of strength meters on password creation. In Proceedings of USENIX Security Symposium, 2012.

Digital Library

[38]

B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, D. Kurilova, M. L. Mazurek, W. Melicher, and R. Shay. Measuring real-world accuracies and biases in modeling password guessability. In Proceedings of the 24th USENIX Security Symposium. USENIX, Aug. 2015.

Digital Library

[39]

K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B. Tai, J. Cook, and E. Eugene Schultz. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65(8):744--757, 2007.

Digital Library

[40]

K.-P. L. Vu, B.-L. B. Tai, A. Bhargav, E. E. Schultz, and R. W. Proctor. Promoting memorability and security of passwords through sentence generation. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, volume 48, pages 1478--1482. SAGE Publications, 2004.

[41]

D. Wheeler. zxcvbn: realistic password strength estimation. dropbox blog article (apr. 10, 2012).

[42]

J. T. Wixted and E. B. Ebbesen. On the form of forgetting. Psychological Science, 2(6):409--515, 1991.

[43]

L. Xing, X. Bai, T. Li, X. Wang, K. Chen, X. Liao, S.-M. Hu, and X. Han. Cracking app isolation on apple: Unauthorized cross-app resource access on mac os x and ios. In Proceedings of the 22Nd ACM CCS, pages 31--43, 2015.

Digital Library

[44]

J. Yan, A. Blackwell, R. Anderson, and A. Grant. The memorability and security of passwords: some empirical results. Technical Report-University Of Cambridge Computer Laboratory, page 1, 2000.

[45]

J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25--31, Sept. 2004.

Digital Library

[46]

Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of ACM CCS, pages 176--186, 2010.

Digital Library

[47]

R. Zhao and C. Yue. All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pages 333--340, 2013.

Digital Library

[48]

R. Zhao and C. Yue. Toward a secure and usable cloud-based password manager for web browsers. Computers & Security, 46:32--47, 2014.

Cited By

Hutchinson AMunyendo CAviv AMayer P(2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650741
Hu QSarmadi AGulati PKrishnamurthy PKhorrami FAtashzar S(2024)X-MyoNET: Biometric Identification Using Deep Processing of Dynamic Surface ElectromyographyIEEE Transactions on Instrumentation and Measurement10.1109/TIM.2024.338457173(1-13)Online publication date: 2024
https://doi.org/10.1109/TIM.2024.3384571
Hou ZWang D(2023)New Observations on Zipf’s Law in PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.317618518(517-532)Online publication date: 2023
https://doi.org/10.1109/TIFS.2022.3176185
Show More Cited By

Index Terms

An Empirical Study of Mnemonic Sentence-based Password Generation Strategies
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Security services
    1. Authentication

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

United States National Science Foundation

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,113
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)7

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hutchinson AMunyendo CAviv AMayer P(2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650741
Hu QSarmadi AGulati PKrishnamurthy PKhorrami FAtashzar S(2024)X-MyoNET: Biometric Identification Using Deep Processing of Dynamic Surface ElectromyographyIEEE Transactions on Instrumentation and Measurement10.1109/TIM.2024.338457173(1-13)Online publication date: 2024
https://doi.org/10.1109/TIM.2024.3384571
Hou ZWang D(2023)New Observations on Zipf’s Law in PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.317618518(517-532)Online publication date: 2023
https://doi.org/10.1109/TIFS.2022.3176185
Blocki JLiu P(2023)Towards a Rigorous Statistical Analysis of Empirical Password Datasets2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179431(606-625)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179431
Yan SKu C(2023)Using language-specific input methods and pronunciation rules to improve the guesses of passwordsJournal of Information Security and Applications10.1016/j.jisa.2023.10358877:COnline publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1016/j.jisa.2023.103588
Woods NSilvennoinen J(2022)Enhancing the user authentication process with colour memory cuesBehaviour & Information Technology10.1080/0144929X.2022.209147442:10(1548-1567)Online publication date: 15-Jul-2022
https://doi.org/10.1080/0144929X.2022.2091474
Han WXu MZhang JWang CZhang KWang X(2021) TransPCFG : Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively IEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.300369616(451-465)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3003696
Liu YQureshi UHancke G(2021)Feasibility of Inferring Keystrokes on PEDs with Sensors from Mobile Devices2021 IEEE 30th International Symposium on Industrial Electronics (ISIE)10.1109/ISIE45552.2021.9576392(1-6)Online publication date: 20-Jun-2021
https://doi.org/10.1109/ISIE45552.2021.9576392
Harsha BMorton RBlocki JSpringer JDark M(2021)Bicycle attacks considered harmfulComputers and Security10.1016/j.cose.2020.102068100:COnline publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1016/j.cose.2020.102068
Komiya KNakajima T(2021)Memorability of Japanese Mnemonic PasswordsCross-Cultural Design. Experience and Product Design Across Cultures10.1007/978-3-030-77074-7_32(420-429)Online publication date: 3-Jul-2021
https://doi.org/10.1007/978-3-030-77074-7_32
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents