Multi-item Passphrases: A Self-adaptive Approach Against Offline Guessing Attacks

  • Jaryn Shen
  • Kim-Kwang Raymond Choo
  • Qingkai Zeng
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


While authentication has been widely studied, designing secure and efficient authentication schemes for various applications remains challenging. In this paper, we propose a self-adaptive authentication mechanism, Multi-item Passphrases, which is designed to mitigate offline password-guessing attacks. For example, “11th July 2018, Nanjing, China, San Antonio, Texas, research” is a multi-item passphrase. It dynamically monitors items and identifies frequently used items. Users will then be alerted when there is need to change their passphrases based on the observed trend (e.g., when a term used in the passphrase consists of a popular item). We demonstrate the security and effectiveness of the proposed scheme in resisting offline guessing attacks, and in particular using simulations to show that schemes based on multi-item passphrases achieve higher security and better usability than those using passwords and diceware passphrases.


Offline guessing attacks Self-adaptive Authentication Passphrases 



We thank the anonymous reviewers for their constructive feedback. This work has been partly supported by National NSF of China under Grant No. 61772266, 61572248, 61431008.


  1. 1.
    Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. (CSUR) 44(4), 19 (2012)CrossRefGoogle Scholar
  2. 2.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)CrossRefGoogle Scholar
  3. 3.
    Bonneau, J., Shutova, E.: Linguistic properties of multi-word passphrases. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 1–12. Springer, Heidelberg (2012). Scholar
  4. 4.
    Burnett, M.: Today I am releasing ten million passwords, February 2015.
  5. 5.
    Chatterjee, R., Athayle, A., Akhawe, D., Juels, A., Ristenpart, T.: pASSWORD tYPOS and how to correct them securely. In: IEEE Symposium on Security and Privacy, pp. 799–818 (2016)Google Scholar
  6. 6.
    Oxford Living Dictionaries: How many words are there in the English language? (2018).
  7. 7.
    Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium (2018)Google Scholar
  8. 8.
    D’Orazio, C., Choo, K.K.R., Yang, L.T.: Data exfiltration from Internet of Things devices: iOS devices as case studies. IEEE Internet Things J. 4(2), 524–535 (2017)CrossRefGoogle Scholar
  9. 9.
    Habib, H., et al.: Password creation in the presence of blacklists. In: Proceedings of USEC (2017)Google Scholar
  10. 10.
    Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security Symposium, pp. 591–606 (2014)Google Scholar
  11. 11.
    Krol, K., Philippou, E., De Cristofaro, E., Sasse, M.A.: “they brought in the horrible key ring thing!” analysing the usability of two-factor authentication in UK online banking. In: Symposium on NDSS Workshop on Usable Security (2015)Google Scholar
  12. 12.
    Leininger, H.: Libpathwell 0.6.1 released, 2015 (2015).
  13. 13.
    Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: Proceedings of 23rd USENIX Security Symposium, USENIX Security, August 2014Google Scholar
  14. 14.
    Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186. ACM (2013)Google Scholar
  15. 15.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  16. 16.
    OED: Dictionary milestones: a chronology of events relevant to the history of the OED (2017).
  17. 17.
    Paul: New 25 GPU monster devours passwords in seconds, December 2012.
  18. 18.
    Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)Google Scholar
  19. 19.
    Reinhold, A.G.: The diceware passphrase home page, October 2017.
  20. 20.
    Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX Conference on Hot Topics in Security, pp. 1–8 (2010)Google Scholar
  21. 21.
    Segreti, S.M., et al.: Diversify to survive: making passwords stronger with adaptive policies. In: Symposium on Usable Privacy and Security (SOUPS) (2017)Google Scholar
  22. 22.
    Tazawa, H., Katoh, T., Bista, B.B., Takata, T.: A user authenticaion scheme using multiple passphrases and its arrangement. In: International Symposium on Information Theory and Its Applications (ISITA), pp. 554–559. IEEE (2010)Google Scholar
  23. 23.
    Walpole, R.E.: One- and two-sample tests of hypotheses. In: Probability and Statistics for Engineers and Scientists, 7 edn. Pearson (2001). Chapter 10Google Scholar
  24. 24.
    Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Jaryn Shen
    • 1
  • Kim-Kwang Raymond Choo
    • 2
  • Qingkai Zeng
    • 1
  1. 1.State Key Laboratory for Novel Software TechnologyNanjing UniversityNanjingChina
  2. 2.Department of Information Systems and Cyber SecurityUniversity of Texas at San AntonioSan AntonioUSA

Personalised recommendations