Skip to main content

2020 | OriginalPaper | Buchkapitel

Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

verfasst von : Ruthu Hulikal Rooparaghunath, T. S. Harikrishnan, Debayan Gupta

Erschienen in: Cryptology and Network Security

Verlag: Springer International Publishing

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The average user has between 90–130 online accounts [17], and around \(3\times 10^{11}\) passwords are in use this year [10]. Most people are terrible at remembering “random” passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols [16]. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants).
We describe a range of candidate human-computable “hash” functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable ‘master’ secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; \(F_R(\)s\(, w) \longrightarrow y\), which takes a website w and produces a password y, parameterized by the master secret s, which may or may not be a string.
We exploit the unique configuration R of each user’s associative and implicit memory (detailed in Sect. 2) to ensure that sources of randomness unique to each user are present in each F. An adversary cannot compute or verify \(F_R\) efficiently since R is unique to each individual; in that sense, our hash function is similar to a physically unclonable function [37]. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons.
Given the nature of these functions, it is not possible to directly use traditional cryptographic methods for analysis; so, we use an array of approaches, mainly related to entropy, to illustrate and analyze the same. We draw on cognitive, neuroscientific, and cryptographic research to use these functions as improved password management and creation systems, and present results from a survey (n = 134 individuals, with each candidate performing 2 schemes) investigating real-world usage of these methods and how people currently come up with their passwords. We also survey 400 websites to collate current password advice.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
Preventing this, in most password managers, requires users to terminate the manager each time after use. Users may be unaware of this or disregard it because of inconvenience, which once again lowers its security [25].
 
2
In general, as a human-computable hash function grows in difficulty, a human is more likely to abandon it [16, 30] and revert to weak password practices. So, one can have very high theoretical security but, in practice, be totally insecure.
 
3
Beyond careful design, these also included side-channel defenses e.g., the paper material was designed to degrade within a few weeks, ensuring that obsolete codes would not be used, and “lost” manuals would lose value quickly.
 
4
All images have demonstrably high priming “strength” [31] i.e. our images are already embedded in the user’s mind (familiar places that they can navigate mentally).
 
5
See [11] for a detailed proof.
 
6
Cracking means an adversary with access to password hashes, has found a collision.
 
7
In practice, the time taken to find a password’s hash depends on the alphabet used, degree of parallelization, hardware specifications such as processor flops, etc. [8].
 
8
Some of which are proven to last in memory 17 years without repeated rehearsal [11].
 
9
Assuming an appropriate threat actor – imagining an adversarial ‘evil’ sibling with occasional read-only access to your living space is a useful rule of thumb.
 
10
Assuming character entropies are independent. We do not consider dictionary attacks, character frequencies etc. as these would require a large number of passwords to be statistically valid, and due to unique user memory configurations R we cannot computationally generate large numbers of passwords.
 
11
Assuming the alphabet is indexed from 0.
 
Literatur
2.
Zurück zum Zitat Baddeley, A.D.: Human Memory: Theory and Practice. Psychology Press, London (1997) Baddeley, A.D.: Human Memory: Theory and Practice. Psychology Press, London (1997)
4.
Zurück zum Zitat Blanchard, N., Gabasova, L., Selker, T., Sennesh., E.: Cue-Pin-Select, a Secure and Usable Offline Password Scheme (2018). ffhal-01781231 Blanchard, N., Gabasova, L., Selker, T., Sennesh., E.: Cue-Pin-Select, a Secure and Usable Offline Password Scheme (2018). ffhal-01781231
6.
9.
Zurück zum Zitat Chakravarthy, A., et al.: A novel approach for password authentication using bidirectional associative memory. arXiv preprint arXiv:1112.2265 (2011) Chakravarthy, A., et al.: A novel approach for password authentication using bidirectional associative memory. arXiv preprint arXiv:​1112.​2265 (2011)
11.
Zurück zum Zitat Denning, T., Bowers, K., Van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2615–2618 (2011) Denning, T., Bowers, K., Van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2615–2618 (2011)
13.
Zurück zum Zitat Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007) Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)
21.
Zurück zum Zitat Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604 (2011) Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604 (2011)
22.
Zurück zum Zitat Kotrlik, J., Higgins, C.: Organizational research: determining appropriate sample size in survey research appropriate sample size in survey research. Inf. Technol. Learn. Perform. J. 19(1), 43 (2001) Kotrlik, J., Higgins, C.: Organizational research: determining appropriate sample size in survey research appropriate sample size in survey research. Inf. Technol. Learn. Perform. J. 19(1), 43 (2001)
24.
Zurück zum Zitat Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186 (2013) Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186 (2013)
26.
Zurück zum Zitat Paul, E.: Black. 2004. Ratcliff/obershelp pattern recognition. Dictionary of Algorithms and Data Structures 17 (2004) Paul, E.: Black. 2004. Ratcliff/obershelp pattern recognition. Dictionary of Algorithms and Data Structures 17 (2004)
31.
Zurück zum Zitat Schacter, D.L., Chiu, C.Y.P., Ochsner, K.N.: Implicit memory: a selective review. Ann. Rev. Neurosci. 16(1), 159–182 (1993)CrossRef Schacter, D.L., Chiu, C.Y.P., Ochsner, K.N.: Implicit memory: a selective review. Ann. Rev. Neurosci. 16(1), 159–182 (1993)CrossRef
33.
Zurück zum Zitat Shi, Z., Shi, M., Li, C.: The prediction of character based on recurrent neural network language model. In: 2017 IEEE/ACIS 16th International Conference on Computer and Information Science (ICIS), pp. 613–616 (2017) Shi, Z., Shi, M., Li, C.: The prediction of character based on recurrent neural network language model. In: 2017 IEEE/ACIS 16th International Conference on Computer and Information Science (ICIS), pp. 613–616 (2017)
37.
Zurück zum Zitat Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: 2007 44th ACM/IEEE Design Automation Conference, pp. 9–14. IEEE (2007) Suh, G.E., Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In: 2007 44th ACM/IEEE Design Automation Conference, pp. 9–14. IEEE (2007)
42.
Zurück zum Zitat Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRef
44.
Zurück zum Zitat Zhang-Kennedy, L., Chiasson, S., Biddle, R.: Password advice shouldn’t be boring: visualizing password guessing attacks. In: 2013 APWG eCrime Researchers Summit, pp. 1–11 (2013) Zhang-Kennedy, L., Chiasson, S., Biddle, R.: Password advice shouldn’t be boring: visualizing password guessing attacks. In: 2013 APWG eCrime Researchers Summit, pp. 1–11 (2013)
Metadaten
Titel
Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
verfasst von
Ruthu Hulikal Rooparaghunath
T. S. Harikrishnan
Debayan Gupta
Copyright-Jahr
2020
DOI
https://doi.org/10.1007/978-3-030-65411-5_9