Paper 2015/166

Naturally Rehearsing Passwords

Jeremiah Blocki, Manuel Blum, and Anupam Datta

Abstract

We introduce quantitative usability and security models to guide the design of \emph{password management schemes} --- systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing \emph{usability assumptions}. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and can be tested empirically. Given rehearsal requirements and a user's visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues--- a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
A minor revision of an IACR publication in ASIACRYPT 2013
Keywords
Password Management SchemeSecurity ModelUsability ModelChinese Remainder TheoremSufficient Rehearsal AssumptionVisitation Schedule
Contact author(s)
jblocki @ cs cmu edu
History
2015-02-27: received
Short URL
https://ia.cr/2015/166
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/166,
      author = {Jeremiah Blocki and Manuel Blum and Anupam Datta},
      title = {Naturally Rehearsing Passwords},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/166},
      year = {2015},
      url = {https://eprint.iacr.org/2015/166}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.