Cynthia Kuo
Lorrie Faith Cranor
ABSTRACT
Textual passwords are often the only mechanism used to authenticate users of a networked system. Unfortunately, many passwords are easily guessed or cracked. In an attempt to strengthen passwords, some systems instruct users to create mnemonic phrase-based passwords. A mnemonic password is one where a user chooses a memorable phrase and uses a character (often the first letter) to represent each word in the phrase.In this paper, we hypothesize that users will select mnemonic phrases that are commonly available on the Internet, and that it is possible to build a dictionary to crack mnemonic phrase-based passwords. We conduct a survey to gather user-generated passwords. We show the majority of survey respondents based their mnemonic passwords on phrases that can be found on the Internet, and we generate a mnemonic password dictionary as a proof of concept. Our 400,000-entry dictionary cracked 4% of mnemonic passwords; in comparison, a standard dictionary with 1.2 million entries cracked 11% of control passwords. The user-generated mnemonic passwords were also slightly more resistant to brute force attacks than control passwords. These results suggest that mnemonic passwords may be appropriate for some uses today. However, mnemonic passwords could become more vulnerable in the future and should not be treated as a panacea.
- Adams, A., and Sasse, M. A., 1999. Users are not the enemy: why users compromise security mechanisms and how to take remedial measures. Communications of the ACM 42 (12), 40--46. Google Scholar
Digital Library
- Australian Computer Emergency Response Team (AusCERT). Choosing good passwords. AusCERT Reference # GoodPasswords, February 1, 2001. http://www.auscert.org.au/render.html?it=2260 (accessed March 2006).Google Scholar
- Brostoff, S. Performance of Authentication Mechanisms. PhD Thesis, Chapter 4. http://www.cs.ucl.ac.uk/staff/s.brostoff/thesis/sachas_thesis_ch04.pdf (accessed May 2006).Google Scholar
- Brostoff, S., and Sasse M. A. Ten strikes and you're out: Increasing the number of login attempts can improve password usability. CHI 2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, Florida.Google Scholar
- The Classic TV Database. Classic TV Theme Songs - Theme Song Lyrics. http://www.classic-tv.com/themesongs/lyrics.asp (accessed July 2004).Google Scholar
- Curry, D. A. Selecting Good Passwords. Excerpts from Improving the Security of Your UNIX System. http://www.alw.nih.gov/Security/Docs/passwd.html (accessed March 2006).Google Scholar
- Debian Package: GPW, http://www.mnis.fr/deb30/utils/gpw.html (accessed May 2006).Google Scholar
- Fact-index.com. List of Advertising Slogans. http://www.fact-index.com/l/li/list_of_advertising_slogans.html (accessed July 2004).Google Scholar
- Federal Information Processing Standards Publication 181, Standard for Automated Password Generator. National Institute of Standards and Technology, October 5, 1993. http://www.itl.nist.gov/fipspubs/fip181.htm (accessed February 2006).Google Scholar
- Ganesan, R. and Davies, C. A New Attack on Random Pronounceable Password Generators. Proceedings of the 17th {NIST}-{NCSC} National Computer Security Conference, 1994.Google Scholar
- Gasser, M. A Random Word Generator for Pronounceable Passwords. Technical Report ESD-TR-75-97, Electronic Systems Division, Hanscom Air Force Base, 1975.Google ScholarCross Ref
- Google Accounts. "Edit Password." https://www.google.com/accounts/EditPasswd (accessed May 2006).Google Scholar
- The Google API, http://www.google.com/apis/ (accessed February 2006).Google Scholar
- John the Ripper, http://www.openwall.com/john/ (accessed February 2006).Google Scholar
- Johnson, B. B. The Movie Quotes Site. http://www.moviequotes.com/repository.cgi (accessed July 2004).Google Scholar
- Jeyaraman. S., and Topkara, U. Have the cake and eat it too-Infusing usability into text-password based authentication systems. CERIAS and Department of Computer Sciences, Purdue University, 2005.Google ScholarDigital Library
- Klein, D. V., Foiling the Cracker; A Survey of, and Improvements to Unix Password Security", (revised paper with new data) Proceedings of the 14th DoE Computer Security Group, May 1991.Google Scholar
- Kotadia, M. Microsoft Security Guru: Jot Down Your Passwords. CNET News.com, May 23, 2005. http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/2100--7355_3--5716590.html (accessed March 2006).Google Scholar
- Mac OS X Password Assistant. "Passwords: Safety in Numbers." http://www.apple.com/macosx/tips/password13.html (accessed May 2006).Google Scholar
- Microsoft Corporation. Strong Passwords -- How to Create and Use Them. Security At Home, Personal Information. November 30, 2005. http://www.microsoft.com/athomc/security/privacy/password.mspx (accessed March 2006).Google Scholar
- Moncur, M. The Quotations Page. http://www.quotationspage.com/quotes/ (accessed July 2004).Google Scholar
- Mozilla Corporation, http://www.mozilla.com.Google Scholar
- Password Cracking Wordlist. http://www.openwall.com/wordlists/ (accessed February 2006).Google Scholar
- Password Safe, http://passwordsafe.sourceforge.net/ (accessed February 2006).Google Scholar
- Quoteland.com. Quoteland.com..all the right words! http://www.quoteland.com/author.asp (accessed July 2004).Google Scholar
- Rhymes.org.uk. Nursery Rhymes - Lyrics and Origins! http://www.rhymes.org.uk/ (accessed July 2004).Google Scholar
- Richards, J. I. Research. University of Texas at Austin, Department of Advertising, February 10, 1997. http://advertising.utexas.edu/research/slogans/index.asp (accessed July 2004).Google Scholar
- Sasse, M. A., Brostoff, S., and Weirich, D. Transforming the weakest link: a human-computer interaction approach to usable and effective security. BT Technology Journal, Vol 19 (3), 2001, pp. 122--131. Google ScholarDigital Library
- Spector, Y., and Ginzberg, J. Pass-sentence - a new approach to computer code. Computers & Security, Vol 13, 1994, pp. 145--160. Google ScholarDigital Library
- The Song Lyrics. Song Lyrics. http://www.thesonglyrics.com/ (accessed July 2004).Google Scholar
- United States Coast Guard, http://www.uscg.mil/HQ/PSC/cghrms/using_peoplesoft/how_to_change_your_password.htm (accessed February 2006).Google Scholar
- University of Chicago, Networking Services and Information Technologies. "Choosing Good Passwords," 2002. http://security.uchicago.edu/docs/userpassword.shtml (accessed March 2006).Google Scholar
- University of Colorado, Department of Computer Science. "Password Policy," November 2004. http://www.cs.colorado.edu/~lizb/internal/password-policy.html (accessed February 2006).Google Scholar
- University of New Orleans, Department of Computer Science. How Do I Create A Secure Password? Reprint of article in; login 21, no. 3 (1996). http://www.cs.uno.edu/Resources/FAQ/faq4.html (accessed February 2006).Google Scholar
- Van Vleck, T. "Java Password Generator," July 31, 1997. http://www.multicians.org/thvv/gpw.html (accessed May 2006).Google Scholar
- Yan. J., Blackwell A., Anderson, A., and Grant A. The Memorability and Security of Passwords -- Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge, 2000.Google Scholar
- Zviran, M., and Haga, W. J. Cognitive Passwords: The Key to Easy Access Control. Computers & Security, Vol 9, 1990, pp. 723--736. Google ScholarDigital Library
Index Terms
- Human selection of mnemonic phrase-based passwords
Recommendations
Memorability of Japanese Mnemonic Passwords
Cross-Cultural Design. Experience and Product Design Across CulturesAbstractPassword authentication is the most commonly used mechanism for user authentication. However, its vulnerability to different attacks such as dictionary attacks or brute force attack is well known. The users often use password authentication in ...
Comments