Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Published byJoleen Logan Modified over 10 years ago

Similar presentations

Presentation on theme: "Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015."— Presentation transcript:

1 Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015

2 Motivation 2

3

4 Usability Problem 4

5 Security Problem Password breaches at major companies have affected millions of users. 5

6 Traditional Security Advice 6 Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords

7

8 Previous Work: Shared Cues Combinatorial Design: Each pairs of accounts has at most secret stories in common. 8 Source: Naturally Rehearsing Passwords [BBD13]

9 Previous Work: Sharing Cues Usability Advantages – Fewer stories to remember! – More Natural Rehearsals! Security? Day: 1 2 4 5 8 9 Source: Naturally Rehearsing Passwords [BBD13] Visit Amazon: Natural Rehearsal Google

10 7 75+ 1575+ 4375+ PAO Stories #PasswordsSecurity 414 Previous Work: Shared Cues 10 Adversary with one password is unlikely to crack any other password

11 User Study Goals Spaced Repetition – Can users recall multiple PAO stories by following spaced repetition schedules? – Which schedules work best? Mnemonic Advantage – Does the PAO mnemonic technique improve recall? Interference Effect 11

12 Outline Motivation Study Protocol – Recruitment and Incentives – Memorization Phase – Rehearsal Phase – Conditions Results Discussion Future Directions 12

13 Recruitment 578 participants completed initial memorization phase

14 Recruitment “Participate in a Carnegie Mellon University research study on memory. …” “…you will be asked to memorize and rehearse random words.” 578 participants completed initial memorization phase

15 User Study Protocol Memorization Phase (5 minutes): – Participants asked to memorize four randomly selected person-action object stories. Rehearsal Phase (120+ days): – Participants periodically asked to return and rehearse their stories (following rehearsal schedule) 15

16 Memorization Phase 16

17 Memorization Phase 17

18 Memorization Phase 18

19 Memorization Phase (Text) 19

20 Rehearsal 20

21 Rehearsal Schedules Day:0 16 32 48 64 80 96 112 128 144 160 2 10 8 9 7 6 5 4 3 1 0 Final Rehearsal (t 10 ): 157 days 21

22 Rehearsal Schedules 2 76 5 4 3 1 0 Final Rehearsal (t 7 ): 127 days Day:0 16 32 48 64 80 96 112 128 144 160 22

23 Rehearsal Schedules Rehearsal#/ Schedule 123456789101112 12hrx1.5.5 day1.754.28.214.724.740.764.7101.7157.7N/ A 24hrX2 1 day37153163127N/A 24hrX2+2Start.1 day.61.63.67.615.631.663.6127.6N/A 30minX2.5 hr1.5hr3.5 hr 7.5 hr 15.5 hr 1.7 day 3.77.715.731.763. 7 127.7 23

24 Incentives Memorization Phase ($0.5) Rehearsal Phase ($0.75 each) – Encourage participants to return – Discourage Cheating

25 Do Not Write Down Your Words “…we ask that you do not write down the words that we ask you to memorize.” “You will be paid for each completed rehearsal phase --- even if you forgot the words.” “Important: …do not write down the words” “You will be paid for each completed rehearsal phase --- even if you forgot the words.”

26 Study Conditions Mnemonic/text Rehearsal Schedule # PAO Stories – One, Two or Four m_12hrX1.5_4 26

27 Study Conditions ConditionComment m_24hrX2+2Start_11 PAO Story m_24hrX2+2Start_22 PAO Stories m_24hrX2+2Start_44 PAO Stories ConditionComment t_24hrX2+2Start_4Text condition/No Cues m_24hrX2+2Start_4Mnemonic Condition Interference Mnemonic vs Text 27

28 Study Conditions ConditionComment m_24hrX2_424 hour base m_24hrX2+2Start_4Two Extra Rehearsals on Day 1 m_30minX2_430 min base m_12hrX1.5_4Growth Rate: 1.5x Compare Rehearsal Schedules 28

29 Challenge: Dropped Participants Result of Last Rehearsal Invited to Return for Next Rehearsal? Remembered All Words Yes * Participant was reminded of his words & asked to rehearse again Failed to Return/LateNo Forgot Some WordsYes* 29

30 Survey: Dropped Participants No participant self-reported that they didn’t return because the stories were too difficult to memorize. 30

31 Outline Motivation Study Protocol Results Discussion Future Directions 31

32 Rehearsal Schedules 32 Survived(i)/Returned(i) Days

33 Rehearsal Schedules 33 Survived(i)/Returned(i) Days * Statistically Significant (p=0.05) Participants twice as likely to fail at any given point in time

34 Text vs Mnemonic Survived(i)/Returned(i) Advantage is statistically significant Advantage is not statistically significant 34

35 Interference Survived(i)/Returned(i) Interference Effect was Statistically Significant 35 Days

36 Results Succeeded(i)/Returned(i) 36

37 Backup Results

38 Findings Spaced Repetition – Yes, participants did remember multiple PAO stories! – Winning Schedule: 12hrX1.5 Mnemonics – Short Term: Benefit is statistically significant – Long Term: Rehearsal schedule was only significant factor Interference – Benefit: Memorize one story at a time – Future Work: Causes of interference 38

39 Outline Motivation Study Protocol Results Discussion & Future Directions – Password Expiration Policies – Password Strengthening – Mitigating Interference 39

40 Password Expiration Policy 40

41 Our Take: Password Expiration Policies High Effort Region Day:0 16 32 48 64 80 96 112 128 144 160 2 10 89 7 6 5 4 3 1 Low Effort Region We believe our study calls into question the merit of continuing the practice of password expiration. 41

42 We believe our study calls into question the merit of continuing the practice of password expiration. 42

43 Password Strengthening Towards reliable storage of 56-bit secrets in human memory [BS14] 7 0 90 Day:0 16

44 Related Work 44 2 7 0 Day:0 16 Day:0 16 32 48 64 80 96 112 128 144 160 2 10 8 9 7 6 4 3 1 0 5 90

45 Password Strengthening Mechanism 45 jblocki, Abcd1234 Bouncing, Smore

46 Password Strengthening Mechanism 46 Abcd1234 + ? Bouncing, Smore jblocki

47 Password Strengthening Mechanism 47 Abcd1234 + EatingSmore Bouncing, Smore jblocki

48 Password Strengthening Mechanism 48 Abcd1234 + BouncingSmore jblocki Once we can be confident that the user will remember the story we add it to the password.

49 Future Directions Understand the Cause(s) of Interference – User Fatigue? – Mixing up stories? Mitigating Interference – Staggered Memorization Schedule? – Gracefully Expanding Combinatorial Designs 49

50 Future Directions Spaced Repetition with other mnemonics – Graphical Secrets 50

51 Thanks for Listening 51

52 Conclusion Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords … …

53 Related Work Password Management Software Goal: Minimize Trust Assumptions about User’s Computational Devices 53

54 Related Work Alternatives to Passwords Quest to Replace Passwords [BHOS2012] 54

Download ppt "Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015."

Similar presentations

How to motivate participation in HES? EHES Training Material.

How to motivate participation in HES? EHES Training Material.
How to motivate participation in HES. The purpose of recruitment The goal is to achieve as high participation as possible Ensures that the sample represents.

How to motivate participation in HES. The purpose of recruitment The goal is to achieve as high participation as possible Ensures that the sample represents.
A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.
A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.

A Comprehensive Study of the Usability of multiple Graphical Passwords SoumChowdhury (Presenter) Ron Poet Lewis Mackenzie 1 School of Computing Science.
Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.

Naturally Rehearsing Passwords Jeremiah Blocki ASIACRYPT 2013 Manuel Blum Anupam Datta.
Chapter 7 Listening, Note Taking & Memory. How can you become a better listener? Listening – “A process that involves sensing, interpreting, evaluating.

Chapter 7 Listening, Note Taking & Memory. How can you become a better listener? Listening – “A process that involves sensing, interpreting, evaluating.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.

1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.

GOTCHA Password Hackers! Jeremiah Blocki Manuel Blum Anupam Datta AISec2013 Presented by Arunesh Sinha.
Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.

Usable and Secure Password Management Jeremiah Blocki Spring 2012 Theory Lunch.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
Diary studies Rikard Harr November 2010 © Rikard Harr 20103 Outline The Diary study: benefits, challenges and alternatives The papers: aims and use of.

Diary studies Rikard Harr November 2010 © Rikard Harr Outline The Diary study: benefits, challenges and alternatives The papers: aims and use of.
Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.

Naturally Rehearsing Passwords Jeremiah Blocki NSF TRUST October 2013 Manuel Blum Anupam Datta.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
Online Surveys: Approach, Issues and Challenges Mohini Singh PhD School of BIT.

Online Surveys: Approach, Issues and Challenges Mohini Singh PhD School of BIT.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
Human Computable Passwords

Human Computable Passwords

Similar presentations

Ads by Google