research-article

An empirical study of mnemonic password creation tips

Authors:

Xiaowei GuoAuthors Info & Claims

Volume 85, Issue C

Pages 41 - 50

https://doi.org/10.1016/j.cose.2019.04.009

Published: 01 August 2019 Publication History

Abstract

Usually, strong passwords tend to be hard to memorize, and easy-to-remember passwords tend to be predictable. User-created passwords are memorable but may be easily cracked. Is there any strategy that can help users choose a strong but still memorable password? Some users have already used mnemonic tips to create passwords, are the passwords created by these tips strong passwords? In this paper, we studied the security and usability of four common mnemonic password creation tips. We recruited 209 participants in an online study, and compared the strength of passwords created by the 4 tips with two commonly used datasets 178 website and phpBB website against guessing attacks. We utilized PCFG and Markov Model to analyze the guessability of passwords created by the 4 tips and the two control groups. We also used the approach of the statistical quantities to measure the distributions of the passwords for each group, for example, we chose to use minimum entropy, β-success-rate and α-guesswork. In addition, we also analyzed the security of these four password creation tips under known attacks. To evaluate the usability of these tips, we conducted user study in the lab. We found some expected and unexpected results, these include: Under an unknown attack, the strength of passwords created by the 4 tips is stronger than those in the two control groups. Passwords created by mnemonic tips are not necessarily strong passwords, some mnemonic tips are more convenient to create strong passwords, while others are the opposite. Under known attacks, some mnemonic tips are not resistant to offline guessing attacks. Usability results shown that these mnemonic tips exhibit inconsistent memorability.

References

[1]

A. Adams, M.A. Sasse, Users are not the enemy, Commun ACM 42 (12) (1999) 40–46.

Digital Library

[2]

A.J. Berinsky, G.A. Huber, G.S. Lenz, Evaluating online labor markets for experimental research: Amazon.com's mechanical turk, Political Anal 20 (3) (2012) 351–368.

[3]

J. Bonneau, C. Herley, P.C. Van Oorschot, et al., Passwords and the evolution of imperfect authentication, Commun ACM 58 (7) (2015) 78–87.

Digital Library

[4]

J. Bonneau, C. Herley, P.C. Van Oorschot, et al., The quest to replace passwords: a framework for comparative evaluation of web authentication schemes, in: Proceedings of the IEEE symposium on security and privacy (SP), IEEE, 2012, pp. 553–567.

[5]

J. Bonneau, E. Shutova, Linguistic properties of multi-word passphrases, in: Proceedings of the international conference on financial cryptography and data security, Berlin, Heidelberg, Springer, 2012, pp. 1–12.

[6]

J. Bonneau, The science of guessing: analyzing an anonymized corpus of 70 million passwords, in: Proceedings of the IEEE symposium on security and privacy (SP), IEEE, 2012, pp. 538–552.

[7]

S. Brostoff, M.A. Sasse, Ten strikes and you're out: Increasing the number of login attempts can improve password usability, in: Proceedings of CHI workshop on HCI & security systems, 2003.

[8]

M. Dell'Amico, M. Filippone, Monte Carlo strength evaluation: fast and reliable password checking, in: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, ACM, 2015, pp. 158–169.

[9]

D. Florêncio, C. Herley, et al., An administrator's guide to internet password research, in: Proceedings of the 28th USENIX conference on large installation system Administration, USENIX Association, 2014, pp. 35–52.

[10]

A. Forget, S. Chiasson, P.C. van Oorschot, et al., Improving text passwords through persuasion, in: Proceedings of the 4th symposium on usable privacy and security, ACM, 2008, pp. 1–12.

[11]

A. Forget, S. Chiasson, R. Biddle, Helping users create better passwords: is this the right approach?, in: Proceedings of the 3rd symposium on usable privacy and security, ACM, 2007, pp. 151–152.

[12]

J.K. Goodman, C.E. Cryder, A. Cheema, Data collection in a flat world: the strengths and weaknesses of mechanical turk samples, J Behav Decis Mak 26 (3) (2013) 213–224.

[13]

Guo Y., Zhang Z., LPSE: lightweight password-strength estimation for password meters, Comput Secur 73 (2018) 507–518.

[14]

H. Habib, J. Colnago, W. Melicher, et al., Password creation in the presence of blacklists, in: Proceedings of the international conference on usable security, 2017, pp. 1–12.

[15]

S. Houshmand, S. Aggarwal, R. Flood, Next Gen PCFG password cracking, IEEE Trans Inf Forensics Secur 10 (8) (2017) 1776–1791.

[16]

Huh J.H., Oh S., Kim H., et al., Surpass: system-initiated user-replaceable passwords, in: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, ACM, 2015, pp. 170–181.

[17]

P.G. Inglesant, M.A. Sasse, The true cost of unusable password policies: password use in the wild, in: Proceedings of the SIGCHI conference on human factors in computing systems, ACM, 2010, pp. 383–392.

[18]

M. Iwamoto, J. Shikata, Information theoretic security for encryption based on conditional Rényi entropies, in: Proceedings of the international conference on information theoretic security, Springer, Cham, 2013, pp. 103–121.

[19]

J. Kiesel, B. Stein, S. Lucks, A large-scale analysis of the mnemonic password advice, in: Proceeding of the NDSS, 2017.

[20]

S. Komanduri, R. Shay, P.G. Kelley, et al., Of passwords and people: measuring the effect of password-composition policies, in: Proceedings of the SIGCHI conference on human factors in computing systems, ACM, 2011, pp. 2595–2604.

[21]

Kuo C., S. Romanosky, L.F. Cranor, Human selection of mnemonic phrase-based passwords, in: Proceedings of the second symposium on usable privacy and security, ACM, 2006, pp. 67–78.

[22]

A. Narayanan, V. Shmatikov, Fast dictionary attacks on passwords using time-space tradeoff, in: Proceedings of the 12th ACM conference on computer and communications security, ACM, 2005, pp. 364–372.

[23]

A. Rényi, On measures of entropy and information, in: Proceedings of the fourth Berkeley symposium on mathematical statistics and probability, 1, The Regents of the University of California, 1961, pp. 547–561. Contributions to the Theory of Statistics.

[24]

S.M. Segreti, W. Melicher, S. Komanduri, et al., Diversify to survive: making passwords stronger with adaptive policies, in: Proceedings of the symposium on usable privacy and security (SOUPS), 2017.

[25]

R. Shay, S. Komanduri, P.G. Kelley, et al., Encountering stronger password requirements: user attitudes and behaviors, in: Proceedings of the sixth symposium on usable privacy and security, ACM, 2010, pp. 1–20.

[26]

R. Shay, P.G. Kelley, S. Komanduri, et al., Correct horse battery staple: exploring the usability of system-assigned passphrases, in: Proceedings of the eighth symposium on usable privacy and security, ACM, 2012, pp. 1–20.

[27]

R. Shay, L.F. Cranor, S. Komanduri, et al., Designing password policies for strength and usability, ACM Trans Inf Syst Secur 18 (4) (2016) 1–34.

[28]

B. Ur, F. Noma, J. Bees, et al., I added ‘!’at the end to make it secure”: observing password creation in the lab, in: Proceedings of the symposium on usable privacy and security, 2015, pp. 123–135.

[29]

Vu K.P.L., Tai B.L., A. Bhargav, et al., Promoting memorability and security of passwords through sentence generation, in: Proceedings of the human factors and ergonomics society annual meeting, 48, Los Angeles, CA, SAGE Publications, 2004, pp. 1478–1482. Sage CA.

[30]

Wang D., Wang P., The emperor's new password creation policies, in: Proceedings of the European symposium on research in computer security, Cham, Springer, 2015, pp. 456–477.

[31]

R. Wash, E. Rader, R. Berman, et al., Understanding password choices: how frequently entered passwords are re-used across websites, in: Proceedings of the symposium on usable privacy and security (SOUPS), 2016, pp. 175–188.

[32]

M. Weir, S. Aggarwal, M. Collins, et al., Testing metrics for password creation policies by attacking large sets of revealed passwords, in: Proceedings of the 17th ACM conference on computer and communications security, ACM, 2010, pp. 162–175.

[33]

M. Weir, S. Aggarwal, B. De Medeiros, et al., Password cracking using probabilistic context-free ordermars, in: Proceedings of the 30th IEEE symposium on security and privacy, IEEE, 2009, pp. 391–405.

[34]

Yan J., A. Blackwell, R. Anderson, et al., Password memorability and security: empirical results, IEEE Secur Priv 2 (5) (2004) 25–31.

[35]

Yang W., Li N., O. Chowdhury, et al., An empirical study of mnemonic sentence-based password generation strategies, in: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, ACM, 2016, pp. 1216–1229.

Cited By

Nemmaoui SBaslam MBouikhalene B(2023)Game theory analysis of biometric systems marketTheoretical Computer Science10.1016/j.tcs.2022.12.004943:C(142-152)Online publication date: 17-Jan-2023
https://dl.acm.org/doi/10.1016/j.tcs.2022.12.004
Zhang LGuo YGuo XShao X(2021)Does the layout of the Android unlock pattern affect the security and usability of the password?Journal of Information Security and Applications10.1016/j.jisa.2021.10301162:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.103011
Guo YZhang ZGuo Y(2019) OptiwordsComputers and Security10.1016/j.cose.2019.05.01585:C(423-435)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1016/j.cose.2019.05.015

Index Terms

An empirical study of mnemonic password creation tips
1. Social and professional topics

Index terms have been assigned to the content through auto-classification.

Recommendations

Pocket Password Book (Password): A discreet internet password organizer
Password Book: Password Journals A-Z Tabs, The Personal Internet Address Log, Organizer Book, Website Password Log Book Directory, Diary, ... Cover Volume 1.
Memorability of Japanese Mnemonic Passwords
Cross-Cultural Design. Experience and Product Design Across Cultures
Abstract
Password authentication is the most commonly used mechanism for user authentication. However, its vulnerability to different attacks such as dictionary attacks or brute force attack is well known. The users often use password authentication in ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 85, Issue C

Aug 2019

453 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 August 2019

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Nemmaoui SBaslam MBouikhalene B(2023)Game theory analysis of biometric systems marketTheoretical Computer Science10.1016/j.tcs.2022.12.004943:C(142-152)Online publication date: 17-Jan-2023
https://dl.acm.org/doi/10.1016/j.tcs.2022.12.004
Zhang LGuo YGuo XShao X(2021)Does the layout of the Android unlock pattern affect the security and usability of the password?Journal of Information Security and Applications10.1016/j.jisa.2021.10301162:COnline publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.103011
Guo YZhang ZGuo Y(2019) OptiwordsComputers and Security10.1016/j.cose.2019.05.01585:C(423-435)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1016/j.cose.2019.05.015

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents