Skip to main content
Top

2020 | OriginalPaper | Chapter

Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

Authors : Ruthu Hulikal Rooparaghunath, T. S. Harikrishnan, Debayan Gupta

Published in: Cryptology and Network Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

The average user has between 90–130 online accounts [17], and around \(3\times 10^{11}\) passwords are in use this year [10]. Most people are terrible at remembering “random” passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols [16]. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants).
We describe a range of candidate human-computable “hash” functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable ‘master’ secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; \(F_R(\)s\(, w) \longrightarrow y\), which takes a website w and produces a password y, parameterized by the master secret s, which may or may not be a string.
We exploit the unique configuration R of each user’s associative and implicit memory (detailed in Sect. 2) to ensure that sources of randomness unique to each user are present in each F. An adversary cannot compute or verify \(F_R\) efficiently since R is unique to each individual; in that sense, our hash function is similar to a physically unclonable function [37]. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons.
Given the nature of these functions, it is not possible to directly use traditional cryptographic methods for analysis; so, we use an array of approaches, mainly related to entropy, to illustrate and analyze the same. We draw on cognitive, neuroscientific, and cryptographic research to use these functions as improved password management and creation systems, and present results from a survey (n = 134 individuals, with each candidate performing 2 schemes) investigating real-world usage of these methods and how people currently come up with their passwords. We also survey 400 websites to collate current password advice.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Appendix
Available only for authorised users
Footnotes
1
Preventing this, in most password managers, requires users to terminate the manager each time after use. Users may be unaware of this or disregard it because of inconvenience, which once again lowers its security [25].
 
2
In general, as a human-computable hash function grows in difficulty, a human is more likely to abandon it [16, 30] and revert to weak password practices. So, one can have very high theoretical security but, in practice, be totally insecure.
 
3
Beyond careful design, these also included side-channel defenses e.g., the paper material was designed to degrade within a few weeks, ensuring that obsolete codes would not be used, and “lost” manuals would lose value quickly.
 
4
All images have demonstrably high priming “strength” [31] i.e. our images are already embedded in the user’s mind (familiar places that they can navigate mentally).
 
5
See [11] for a detailed proof.
 
6
Cracking means an adversary with access to password hashes, has found a collision.
 
7
In practice, the time taken to find a password’s hash depends on the alphabet used, degree of parallelization, hardware specifications such as processor flops, etc. [8].
 
8
Some of which are proven to last in memory 17 years without repeated rehearsal [11].
 
9
Assuming an appropriate threat actor – imagining an adversarial ‘evil’ sibling with occasional read-only access to your living space is a useful rule of thumb.
 
10
Assuming character entropies are independent. We do not consider dictionary attacks, character frequencies etc. as these would require a large number of passwords to be statistically valid, and due to unique user memory configurations R we cannot computationally generate large numbers of passwords.
 
11
Assuming the alphabet is indexed from 0.
 
Literature
2.
go back to reference Baddeley, A.D.: Human Memory: Theory and Practice. Psychology Press, London (1997) Baddeley, A.D.: Human Memory: Theory and Practice. Psychology Press, London (1997)
4.
go back to reference Blanchard, N., Gabasova, L., Selker, T., Sennesh., E.: Cue-Pin-Select, a Secure and Usable Offline Password Scheme (2018). ffhal-01781231 Blanchard, N., Gabasova, L., Selker, T., Sennesh., E.: Cue-Pin-Select, a Secure and Usable Offline Password Scheme (2018). ffhal-01781231
9.
go back to reference Chakravarthy, A., et al.: A novel approach for password authentication using bidirectional associative memory. arXiv preprint arXiv:1112.2265 (2011) Chakravarthy, A., et al.: A novel approach for password authentication using bidirectional associative memory. arXiv preprint arXiv:​1112.​2265 (2011)
11.
go back to reference Denning, T., Bowers, K., Van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2615–2618 (2011) Denning, T., Bowers, K., Van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2615–2618 (2011)
13.
go back to reference Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007) Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)
21.
go back to reference Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604 (2011) Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604 (2011)
22.
go back to reference Kotrlik, J., Higgins, C.: Organizational research: determining appropriate sample size in survey research appropriate sample size in survey research. Inf. Technol. Learn. Perform. J. 19(1), 43 (2001) Kotrlik, J., Higgins, C.: Organizational research: determining appropriate sample size in survey research appropriate sample size in survey research. Inf. Technol. Learn. Perform. J. 19(1), 43 (2001)
24.
go back to reference Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186 (2013) Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186 (2013)
26.
go back to reference Paul, E.: Black. 2004. Ratcliff/obershelp pattern recognition. Dictionary of Algorithms and Data Structures 17 (2004) Paul, E.: Black. 2004. Ratcliff/obershelp pattern recognition. Dictionary of Algorithms and Data Structures 17 (2004)
31.
go back to reference Schacter, D.L., Chiu, C.Y.P., Ochsner, K.N.: Implicit memory: a selective review. Ann. Rev. Neurosci. 16(1), 159–182 (1993)CrossRef Schacter, D.L., Chiu, C.Y.P., Ochsner, K.N.: Implicit memory: a selective review. Ann. Rev. Neurosci. 16(1), 159–182 (1993)CrossRef
33.
go back to reference Shi, Z., Shi, M., Li, C.: The prediction of character based on recurrent neural network language model. In: 2017 IEEE/ACIS 16th International Conference on Computer and Information Science (ICIS), pp. 613–616 (2017) Shi, Z., Shi, M., Li, C.: The prediction of character based on recurrent neural network language model. In: 2017 IEEE/ACIS 16th International Conference on Computer and Information Science (ICIS), pp. 613–616 (2017)
37.
go back to reference Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: 2007 44th ACM/IEEE Design Automation Conference, pp. 9–14. IEEE (2007) Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: 2007 44th ACM/IEEE Design Automation Conference, pp. 9–14. IEEE (2007)
42.
go back to reference Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef
44.
go back to reference Zhang-Kennedy, L., Chiasson, S., Biddle, R.: Password advice shouldn’t be boring: visualizing password guessing attacks. In: 2013 APWG eCrime Researchers Summit, pp. 1–11 (2013) Zhang-Kennedy, L., Chiasson, S., Biddle, R.: Password advice shouldn’t be boring: visualizing password guessing attacks. In: 2013 APWG eCrime Researchers Summit, pp. 1–11 (2013)
Metadata
Title
Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
Authors
Ruthu Hulikal Rooparaghunath
T. S. Harikrishnan
Debayan Gupta
Copyright Year
2020
DOI
https://doi.org/10.1007/978-3-030-65411-5_9

Premium Partner