International Journal of Information Security

, Volume 18, Issue 2, pp 239–255 | Cite as

Enhanced Tacit Secrets: System-assigned passwords you can’t write down, but don’t need to

  • Zeinab JoudakiEmail author
  • Julie Thorpe
  • Miguel Vargas Martin
Regular Contribution


We explore the feasibility of Tacit Secrets: system-assigned passwords that you can remember, but cannot write down or otherwise communicate. We design an approach to creating Tacit Secrets based on contextual cueing, an implicit learning method previously studied in the cognitive psychology literature. Our feasibility study indicates that our approach has strong security properties: resistance to brute-force attacks, online attacks, phishing attacks, some coercion attacks, and targeted impersonation attacks. It also offers protection against leaks from other verifiers as the secrets are system-assigned. Our approach also has some interesting usability properties, a high login success rate, and low false positive rates. We explore enhancements to our approach and find that incorporating eye-tracking data offers substantial improvements. We also explore the trade-offs of different configurations of our design and provide insight into valuable directions for future work.


Authentication Security System-assigned passwords Implicit learning Contextual cueing 



We thank the participants of our feasibility study. This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).


  1. 1.
    Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: NDSS (2014)Google Scholar
  2. 2.
    Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium, pp. 175–191 (2016)Google Scholar
  3. 3.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26 (2014)Google Scholar
  4. 4.
    Hunt. T.: Have I Been Pwned? Accessed 26 May 2017
  5. 5.
    Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: ACM CCS, pp. 1242–1254 (2016)Google Scholar
  6. 6.
    Greenberg, A.: Hack brief: password manager lastpass got breached hard. Accessed 30 May 2017 (2015)
  7. 7.
    Siegrist, J.: Security update for the lastpass extension. Accessed 30 May 2017 (2017)
  8. 8.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. Mag. 2(5), 25–31 (2004)CrossRefGoogle Scholar
  9. 9.
    Merrill, E.C., Conners, F.A., Yang, Y., Weathington, D.: The acquisition of contextual cueing effects by persons with and without intellectual disability. Res. Dev. Disabil. 35(10), 2341–2351 (2014)CrossRefGoogle Scholar
  10. 10.
    Howard Jr., J.H., Howard, D.V., Japikse, K.C., Eden, G.F.: Dyslexics are impaired on implicit higher-order sequence learning, but not on implicit spatial context learning. Neuropsychologia 44(7), 1131–1144 (2006)CrossRefGoogle Scholar
  11. 11.
    Jimnez-Fernández, G., Vaquero, J., Jimnez, L., Defior, S.: Dyslexic children show deficits in implicit sequence learning, but not in explicit sequence learning or contextual cueing. Ann. Dyslexia 61(1), 85–110 (2011)CrossRefGoogle Scholar
  12. 12.
    Bonneau, J., Schechter, S.: Towards reliable storage of 56-bit secrets in human memory. In: USENIX Security Symposium, pp. 607–623 (2014)Google Scholar
  13. 13.
    Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Symposium on Usable Privacy and Security (SOUPS), pp. 7:1–7:20 (2012)Google Scholar
  14. 14.
    Jeyaraman, S., Topkara, U.: Have the cake and eat it too-infusing usability into text-password based authentication systems. In: Annual Computer Security Applications Conference (ACSAC), pp. 473–482 (2005)Google Scholar
  15. 15.
    Al-Ameen, M.N., Wright, M., Scielzo, S.: Towards making random passwords memorable: leveraging users’ cognitive ability through multiple cues. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2315–2324 (2015)Google Scholar
  16. 16.
    Denning, T., Bowers, K., van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2615–2618 (2011)Google Scholar
  17. 17.
    Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: 21st USENIX Security Symposium, pp. 129–141. Bellevue, WA (2012)Google Scholar
  18. 18.
    Sanchez, D.J., Gobel, E.W., Reber, P.J.: Performing the unexplainable: implicit task performance reveals individually reliable sequence learning without explicit knowledge. Psychon. Bull. Rev. 17(6), 790–796 (2010)CrossRefGoogle Scholar
  19. 19.
    Castelluccia, C., Duermuth, M., Golla, M., Deniz, F.: Towards implicit visual memory-based authentication. In: Network and Distributed System Security Symposium (NDSS). ISOC, San Diego (2017)Google Scholar
  20. 20.
    Clark, J., Hengartner, U.: Panic passwords: authenticating under duress. In: Hot Topics in Security (HOTSEC), pp. 8:1–8:6 (2008)Google Scholar
  21. 21.
    Cao, K., Jain, A.K.: Hacking mobile phones using 2D printed fingerprints (2016). Accessed 30 May 2017
  22. 22.
    Zetter, K.: Reverse-engineered irises look so real, they fool eye-scanners (2012). Accessed 6 Apr 2017
  23. 23.
    Xu, Y., Price, T., Frahm, J.-M., Monrose, F.: Virtual U: defeating face liveness detection by building virtual models from your public photos. In: USENIX Security Symposium, pp. 497–512 (2016)Google Scholar
  24. 24.
    Babu, B., Venkataram, P.: Transaction based authentication scheme for mobile communication: a cognitive agent based approach. In: Parallel and Distributed Processing Symposium, pp. 1–8 (2007)Google Scholar
  25. 25.
    De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 987–996 (2012)Google Scholar
  26. 26.
    Gupta, P., Ding, X., Gao, D.: Coercion resistance in authentication responsibility shifting. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 97–98 (2012)Google Scholar
  27. 27.
    Gupta, P., Gao, D.: Fighting coercion attacks in key generation using skin conductance. In: USENIX Security Symposium, pp. 469–484 (2010)Google Scholar
  28. 28.
    Reber, A., Winter, B.: Implicit learning and tacit knowledge. J. Exp. Psychol. Gen. 118, 219–235 (1989)CrossRefGoogle Scholar
  29. 29.
    Stadler, M.A., Frensch, P.A.: Handbook of Implicit Learning. Sage, Thousand Oaks (1998)Google Scholar
  30. 30.
    Lleras, A., von Mühlenen, A.: Spatial context and top-down strategies in visual search. Spat. Vis. 17(4–5), 465–482 (2004)Google Scholar
  31. 31.
    Ziori, E., Dienes, Z.: The time course of implicit and explicit concept learning. Conscious. Cogn. 21(1), 204–216 (2012)CrossRefGoogle Scholar
  32. 32.
    Chun, M.M., Jiang, Y.: Implicit, long-term spatial contextual memory. J. Exp. Psychol. Learn. Mem. Cogn. 29(2), 224–234 (2003)CrossRefGoogle Scholar
  33. 33.
    Goujon, A., Fagot, J.: Learning of spatial statistics in nonhuman primates: contextual cueing in baboons (papio). Behav. Brain Res. 247, 101–109 (2013)CrossRefGoogle Scholar
  34. 34.
    Chun, M.M., Jiang, Y.: Contextual cueing: implicit learning and memory of visual context guides spatial attention. Cogn. Psychol. 36(1), 28–71 (1998)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Smyth, A.C., Shanks, D.R.: Awareness in contextual cuing with extended and concurrent explicit tests. Mem. Cogn. 36(2), 403–415 (2008)CrossRefGoogle Scholar
  36. 36.
    Vaidya, C.J., Huger, M., Howard, D.V., Howard, J.H.: Developmental differences in implicit learning of spatial context. Neuropsychology 21(4), 497–506 (2007)CrossRefGoogle Scholar
  37. 37.
    Masters, R.S.: Knowledge, knerves and know-how: the role of explicit versus implicit knowledge in the breakdown of a complex motor skill under pressure. Br. J. Psychol. 83(3), 343–358 (1992)CrossRefGoogle Scholar
  38. 38.
    Hardy, L., Mullen, R., Jones, G.: Knowledge and conscious control of motor actions under stress. Br. J. Psychol. 87(4), 621–636 (1996)CrossRefGoogle Scholar
  39. 39.
    Palmer, L.: The relationship between stress, fatigue, and cognitive functioning. Coll. Stud. J. 47(2), 312–325 (2013)Google Scholar
  40. 40.
    Wiers, R.W., Stacy, A.W., Ames, S.L., Noll, J.A., Sayette, M.A., Zack, M., Krank, M.: Implicit and explicit alcohol-related cognitions. Alcohol. Clin. Exp. Res. 26(1), 129–137 (2002)CrossRefGoogle Scholar
  41. 41.
    Zhao, G., Liu, Q., Jiao, J., Zhou, P., Li, H., Sun, H-j: Dual-state modulation of the contextual cueing effect: evidence from eye movement recordings. J. Vis. 12, 11 (2012)CrossRefGoogle Scholar
  42. 42.
    Hang, A., Luca, A.D., Smith, M., Richter, M., Hussmann, H.: Where have you been? using location-based security questions for fallback authentication. In: Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, pp. 169–183 (2015)Google Scholar
  43. 43.
    Geyer, T., Zehetleitner, M., Müller, H.J.: Contextual cueing of pop-out visual search: when context guides the deployment of attention. J. Vis. 10, 20 (2010)Google Scholar
  44. 44.
    Brockmole, J.R., Henderson, J.M.: Using real-world scenes as contextual cues for search. Vis. Cogn. 13(1), 99–108 (2006)CrossRefGoogle Scholar
  45. 45.
    Goujon, A., Didierjean, A., Poulet, S.: The emergence of explicit knowledge from implicit learning. Mem. Cogn. 42(2), 225–236 (2014)CrossRefGoogle Scholar
  46. 46.
    Brooks, D.I., Rasmussen, I.P., Hollingworth, A.: The nesting of search contexts within natural scenes: evidence from contextual cuing. J. Exp. Psychol. Hum. Percept. Perform. 36(6), 1406–18 (2010)CrossRefGoogle Scholar
  47. 47.
    Tseng, Y.-C., Lleras, A.: Rewarding context accelerates implicit guidance in visual search. Atten. Percept. Psychophys. 75(2), 287–298 (2013)CrossRefGoogle Scholar
  48. 48.
    Florêncio, D., Herley, C., van Oorschot, P.C.: An administrator’s guide to internet password research. In: 28th Large Installation System Administration Conference (LISA14), pp. 44–61 (2014)Google Scholar
  49. 49.
    Luethi, M., Meier, B., Sandi, C.: Stress effects on working memory, explicit memory, and implicit memory for neutral and emotional stimuli in healthy men. Front. Behav. Neurosci. 2, 5 (2009)Google Scholar
  50. 50.
    Newman, D.J.: The double dixie cup problem. Am. Math. Mon. 67(1), 58–61 (1960)MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012)Google Scholar
  52. 52.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567 (May 2012)Google Scholar
  53. 53.
    Zellin, M., von Mühlenen, A., Müller, H., Conci, M.: Long-term adaptation to change in implicit contextual learning. Psychon. Bull. Rev. 21(4), 1073–1079 (2014)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Zeinab Joudaki
    • 1
    Email author
  • Julie Thorpe
    • 1
  • Miguel Vargas Martin
    • 1
  1. 1.University of Ontario Institute of TechnologyOshawaCanada

Personalised recommendations