Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

Abstract

The average user has between 90–130 online accounts [17], and around \(3\times 10^{11}\) passwords are in use this year [10]. Most people are terrible at remembering “random” passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols [16]. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants).

We describe a range of candidate human-computable “hash” functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable ‘master’ secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; \(F_R(\)s\(, w) \longrightarrow y\), which takes a website w and produces a password y, parameterized by the master secret s, which may or may not be a string.

We exploit the unique configuration R of each user’s associative and implicit memory (detailed in Sect. 2) to ensure that sources of randomness unique to each user are present in each F. An adversary cannot compute or verify \(F_R\) efficiently since R is unique to each individual; in that sense, our hash function is similar to a physically unclonable function [37]. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons.

Given the nature of these functions, it is not possible to directly use traditional cryptographic methods for analysis; so, we use an array of approaches, mainly related to entropy, to illustrate and analyze the same. We draw on cognitive, neuroscientific, and cryptographic research to use these functions as improved password management and creation systems, and present results from a survey (n = 134 individuals, with each candidate performing 2 schemes) investigating real-world usage of these methods and how people currently come up with their passwords. We also survey 400 websites to collate current password advice.

A Cryptographic Security

Given the limitations imposed by the very nature of algorithms optimized for humans (which are intentionally difficult to represent on a computer) these methods cannot be used directly; we use approximate, illustrative calculations to indicate the likelihood of a given scheme satisfying some property.

When an adversary attempts to guess a user’s password for random accounts after seeing \(m/\lambda \) other random (account, password) pairs for the same user, a hash function \(h_R\) is considered UF-RCA (Unforgeability Under Random Challenge Attack) secure if a poly-time adversary can guess a new (account, password) pair with negligible success probability. [6]

For any hash function \(h_R(s,w_i) \longrightarrow y_i\) the adversary attempts to either guess s, or guess \(y_j\) for some \(w_j\), based on knowledge of \(C = \{(y_1,w_1),(y_2,w_2),\) \(\dots ,(y_n,w_n)\}\) where \((y_j,w_j) \not \in C\). The probability of correctly guessing the output (hash) for website \(w_j\) without knowing s, i.e., \(P( (y_j,w_j) | y_j = h_R(s,w_j) \wedge (y_j,w_j) \not \in C )\le \epsilon \) for any probabilistic polynomial time adversary.

1.1 A.1 Pre-image Resistance

Given only \(h_R\) (public hash function) and \(h_R(w,s_k)\) (a password), pre-image resistance requires that it must be computationally hard to deduce \(s_k\), the subkey, and s, the master secret. Note that R is unclonable in our setup.

Memory Palace: Given the hash, every alternate letter is either (Sect. 4.1):

• \(l = \mathbb {S}(x,y)\) where \(\mathbb {S}\): sum and x, y are two letters

• a diagonal mapping of l on the keyboard

Every letter l in the subkey depends on two other letters x, y such that¹¹:

$$L {\left\{ \begin{array}{ll} x+y&{}\text {for }x+y<26\\ x+y-26&{}\text {for }x+y\ge 26\\ \end{array}\right. }$$

The probability of guessing x and y given l is \(P(x,y | l) \le \frac{1}{13} (0.0769) \text { or }\) \( \frac{1}{14} (0.0714)\) based on 13–14 pairs of s(x, y) for every l. This reveals nothing about the permutation, e.g., \(a_i+b_i = b_i+a_i = c_i\), where \(a_i\) is the index of the letter a. In this case both ab and ba are candidate permutations for c, as are 13 other letter-pairs such as cz, no etc. So, every character of the hash depends on several possible letter-pairs in the previous text (confusion). Taking into account letter-pair permutations, the probability space increases such that: \(P(x,y|l) \le \frac{1}{26} (0.0385) \text { or } \frac{1}{28} (0.0357)\). The adversary now guesses the underlying letters with \(\le 4\%\) probability. If all (x,y) and their permutations are discovered, the user’s subkey is discovered. However this does not reveal other subkeys due to sources of randomness within the function, as elaborated in Appendix A.

Song Password: Passwords generated by this method had no identifiable words from the English language, or local languages. The title word of the song for the examples used in Step 3 in the description of Song Password formed a maximum of 10% of the song lyrics. An adversary has to undo several layers of confusion based on R, such as shifting characters to different positions, removing characters etc., which leave no identifiable words from the English language, or local languages in the final password, to deduce s from the hash. It is also computationally hard to predict characters that may have been removed due to character shifts before deletion that do not preserve letter frequencies or word patterns.

Scrambled Box This method is strongly resistant to pre-image attacks (a public S-box degrades gracefully). Given the S-box and the password, each character c in the S-box corresponds to a unique coordinate set (x, y) which in turn is the index xy of an alphabet. If the letter maps to a single-digit index, y may be a digit from the index of the next alphabet. Due to the vast number of possibilities for each character mapping in the password, we propose that finding s given the user’s S-box, w and h(s, w), is computationally infeasible.

Internal Sentence: Here, \(s_k=s\) is a “unique” word, and \(h_R(s,w)\) is a sentence including s and w. A frequency analysis of words will suggest a candidate s, and w is publicly known. Passwords resulting from this hashing method carried high entropy, but most passwords (138/202) with 4–17 words, included between 1–12 words from the 3000 most frequently used English words [27] and thus are not UF-RCA secure, as with n (account, password) pairs for the same user, a “unique” s can be deduced with word frequency analysis. Combined with word permutations a large number of candidate passwords can be produced with negligible computational effort. However this method is still weakly collision-free - long sentences without specified one-way mappings of (subkey \(\longrightarrow \) word combinations) result in a low incidence of \(h_R(m')=h_R(m)\).

1.2 A.2 Collision Resistance and Randomness

An adversary cannot even compute or verify \(h_R\) efficiently, since R is unique to each user. In that sense, our hash function is similar to a physically unclonable function [37]. Our analysis suggests that given a password y, guessing m, \(P(h_R(m) = y) \le \epsilon = {2^{-78}}\) in the average case (length 11.83), as analysed at the end of Sect. 5.3. (Most of our functions are also strongly collision free; details omitted for brevity.) We refer readers to [4] for the security of Cue-Pin-Select.

We observe a variety of sources of randomness for each R. Understanding and manipulating this randomness is an interesting problem for future research.