Download presentation
Presentation is loading. Please wait.
Published byJoleen Logan Modified over 9 years ago
1
Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015
2
Motivation 2
4
Usability Problem 4
5
Security Problem Password breaches at major companies have affected millions of users. 5
6
Traditional Security Advice 6 Not too short Use mix of lower/upper case letters Change your passwords every 90 days Use numbers and letters Don’t use words/names Use special symbols Don’t Write it Down Don’t Reuse Passwords
8
Previous Work: Shared Cues Combinatorial Design: Each pairs of accounts has at most secret stories in common. 8 Source: Naturally Rehearsing Passwords [BBD13]
9
Previous Work: Sharing Cues Usability Advantages – Fewer stories to remember! – More Natural Rehearsals! Security? Day: 1 2 4 5 8 9 Source: Naturally Rehearsing Passwords [BBD13] Visit Amazon: Natural Rehearsal Google
10
7 75+ 1575+ 4375+ PAO Stories #PasswordsSecurity 414 Previous Work: Shared Cues 10 Adversary with one password is unlikely to crack any other password
11
User Study Goals Spaced Repetition – Can users recall multiple PAO stories by following spaced repetition schedules? – Which schedules work best? Mnemonic Advantage – Does the PAO mnemonic technique improve recall? Interference Effect 11
12
Outline Motivation Study Protocol – Recruitment and Incentives – Memorization Phase – Rehearsal Phase – Conditions Results Discussion Future Directions 12
13
Recruitment 578 participants completed initial memorization phase
14
Recruitment “Participate in a Carnegie Mellon University research study on memory. …” “…you will be asked to memorize and rehearse random words.” 578 participants completed initial memorization phase
15
User Study Protocol Memorization Phase (5 minutes): – Participants asked to memorize four randomly selected person-action object stories. Rehearsal Phase (120+ days): – Participants periodically asked to return and rehearse their stories (following rehearsal schedule) 15
16
Memorization Phase 16
17
Memorization Phase 17
18
Memorization Phase 18
19
Memorization Phase (Text) 19
20
Rehearsal 20
21
Rehearsal Schedules Day:0 16 32 48 64 80 96 112 128 144 160 2 10 8 9 7 6 5 4 3 1 0 Final Rehearsal (t 10 ): 157 days 21
22
Rehearsal Schedules 2 76 5 4 3 1 0 Final Rehearsal (t 7 ): 127 days Day:0 16 32 48 64 80 96 112 128 144 160 22
23
Rehearsal Schedules Rehearsal#/ Schedule 123456789101112 12hrx1.5.5 day1.754.28.214.724.740.764.7101.7157.7N/ A 24hrX2 1 day37153163127N/A 24hrX2+2Start.1 day.61.63.67.615.631.663.6127.6N/A 30minX2.5 hr1.5hr3.5 hr 7.5 hr 15.5 hr 1.7 day 3.77.715.731.763. 7 127.7 23
24
Incentives Memorization Phase ($0.5) Rehearsal Phase ($0.75 each) – Encourage participants to return – Discourage Cheating
25
Do Not Write Down Your Words “…we ask that you do not write down the words that we ask you to memorize.” “You will be paid for each completed rehearsal phase --- even if you forgot the words.” “Important: …do not write down the words” “You will be paid for each completed rehearsal phase --- even if you forgot the words.”
26
Study Conditions Mnemonic/text Rehearsal Schedule # PAO Stories – One, Two or Four m_12hrX1.5_4 26
27
Study Conditions ConditionComment m_24hrX2+2Start_11 PAO Story m_24hrX2+2Start_22 PAO Stories m_24hrX2+2Start_44 PAO Stories ConditionComment t_24hrX2+2Start_4Text condition/No Cues m_24hrX2+2Start_4Mnemonic Condition Interference Mnemonic vs Text 27
28
Study Conditions ConditionComment m_24hrX2_424 hour base m_24hrX2+2Start_4Two Extra Rehearsals on Day 1 m_30minX2_430 min base m_12hrX1.5_4Growth Rate: 1.5x Compare Rehearsal Schedules 28
29
Challenge: Dropped Participants Result of Last Rehearsal Invited to Return for Next Rehearsal? Remembered All Words Yes * Participant was reminded of his words & asked to rehearse again Failed to Return/LateNo Forgot Some WordsYes* 29
30
Survey: Dropped Participants No participant self-reported that they didn’t return because the stories were too difficult to memorize. 30
31
Outline Motivation Study Protocol Results Discussion Future Directions 31
32
Rehearsal Schedules 32 Survived(i)/Returned(i) Days
33
Rehearsal Schedules 33 Survived(i)/Returned(i) Days * Statistically Significant (p=0.05) Participants twice as likely to fail at any given point in time
34
Text vs Mnemonic Survived(i)/Returned(i) Advantage is statistically significant Advantage is not statistically significant 34
35
Interference Survived(i)/Returned(i) Interference Effect was Statistically Significant 35 Days
36
Results Succeeded(i)/Returned(i) 36
37
Backup Results
38
Findings Spaced Repetition – Yes, participants did remember multiple PAO stories! – Winning Schedule: 12hrX1.5 Mnemonics – Short Term: Benefit is statistically significant – Long Term: Rehearsal schedule was only significant factor Interference – Benefit: Memorize one story at a time – Future Work: Causes of interference 38
39
Outline Motivation Study Protocol Results Discussion & Future Directions – Password Expiration Policies – Password Strengthening – Mitigating Interference 39
40
Password Expiration Policy 40
41
Our Take: Password Expiration Policies High Effort Region Day:0 16 32 48 64 80 96 112 128 144 160 2 10 89 7 6 5 4 3 1 Low Effort Region We believe our study calls into question the merit of continuing the practice of password expiration. 41
42
We believe our study calls into question the merit of continuing the practice of password expiration. 42
43
Password Strengthening Towards reliable storage of 56-bit secrets in human memory [BS14] 7 0 90 Day:0 16
44
Related Work 44 2 7 0 Day:0 16 Day:0 16 32 48 64 80 96 112 128 144 160 2 10 8 9 7 6 4 3 1 0 5 90
45
Password Strengthening Mechanism 45 jblocki, Abcd1234 Bouncing, Smore
46
Password Strengthening Mechanism 46 Abcd1234 + ? Bouncing, Smore jblocki
47
Password Strengthening Mechanism 47 Abcd1234 + EatingSmore Bouncing, Smore jblocki
48
Password Strengthening Mechanism 48 Abcd1234 + BouncingSmore jblocki Once we can be confident that the user will remember the story we add it to the password.
49
Future Directions Understand the Cause(s) of Interference – User Fatigue? – Mixing up stories? Mitigating Interference – Staggered Memorization Schedule? – Gracefully Expanding Combinatorial Designs 49
50
Future Directions Spaced Repetition with other mnemonics – Graphical Secrets 50
51
Thanks for Listening 51
52
Conclusion Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords … …
53
Related Work Password Management Software Goal: Minimize Trust Assumptions about User’s Computational Devices 53
54
Related Work Alternatives to Passwords Quest to Replace Passwords [BHOS2012] 54
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.