PassCue: The Shared Cues System in Practice

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9393)


Shared Cues is a password management system proposed by Blocki, Blum and Datta at Asiacrypt 2013. Unlike the majority of password management systems Shared Cues passwords are never stored, even on the management device. The idea of the Shared Cues system is to help users choose and remember passwords in a manner proven to avoid brute force searching under reasonable assumptions.

Blocki et al. analysed Shared Cues theoretically but did not describe any practical tests. We report on the design and implementation of an iOS application based on Shared Cues, which we call PassCue. This enables us to consider the practicality of Shared Cues in the real world and address important issues of user interface, parameter choices and applicability on popular web sites. PassCue demonstrates that the Shared Cues password management system is useable and secure in practice as well as in theory.


Associative Memory Human Memory High Security Independent Scheme Potential Attacker 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Supplementary material


  1. 1.
    Anderson, J.R., Matessa, M., Lebiere, C.: Act-r: a theory of higher level cognition and its relation to visual attention. Hum. Comput. Interact. 12(4), 439–462 (1997)CrossRefGoogle Scholar
  2. 2.
    Anderson, J.R., Schooler, L.J.: Reflections of the environment in memory. Psychol. Sci. 2(6), 396–408 (1991)CrossRefGoogle Scholar
  3. 3.
    Baddeley, A.D.: Human Memory: Theory and Practice. Lawrence Erlbaum Associates, Hove (1990)Google Scholar
  4. 4.
    Blocki, J., Blum, M., Datta, A.: Naturally rehearsing passwords. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 361–380. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  5. 5.
    Bryant, M.: Amazon EC2 GPU HVM spot instance password cracking - hashcat setup tutorial (2013). Accessed 26 April 2014
  6. 6.
    Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: NDSS. The Internet Society (2012)Google Scholar
  7. 7.
    Danescu-Niculescu-Mizil, C., Cheng, J., Kleinberg, J.M., Lee, L.: You had me at hello: How phrasing affects memorability. CoRR, abs/1203.6360 (2012)Google Scholar
  8. 8.
    Defuse. Password policy hall of shame. Accessed 10 March 2014
  9. 9.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of the 29th Conference on Information Communications, INFOCOM 2010, pp. 983–991. IEEE Press (2010)Google Scholar
  10. 10.
    Dunham, A.: Password cracking on amazon EC2 (2013). Accessed 26 April 2014
  11. 11.
    Wildenhain, A., et al.: Comparison of usability and security of password creation schemes (2012). Accessed 07 February 2014
  12. 12.
    Foer, J.: Moonwalking with Einstein: The Art and Science of Remembering Everything. Penguin Books Limited, New York (2011)Google Scholar
  13. 13.
    Google. Creating a strong password (2013). Accessed 26 April 2014
  14. 14.
    Johnson, G.J.: A distinctiveness model of serial learning. Psychol. Rev. 98(2), 204–217 (1999)CrossRefGoogle Scholar
  15. 15.
    Johnston, C.: Why your password can’t have symbols–or be longer than 16 characters (2013). Accessed 11 March 2014
  16. 16.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537, May 2012Google Scholar
  17. 17.
    Kohonen, T.: Associative Memory: A System-Theoretical Approach. Springer, Berlin (1977)CrossRefzbMATHGoogle Scholar
  18. 18.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, New York, NY, USA, pp. 2595–2604. ACM (2011)Google Scholar
  19. 19.
    LinkedIn. An update on LinkedIn member passwords compromised (2012). Accessed 16 February 2014
  20. 20.
    Miller, G.A.: The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychol. Rev. 63(2), 81–97 (1956)CrossRefGoogle Scholar
  21. 21.
    Sandvoll, M.: Design and analysis of a password management system. Masters thesis, NTNU (2014)Google Scholar
  22. 22.
    Smith, R.E.: The strong password dilemma. Comput. Secur. J. 18(2), 31–38 (2002)Google Scholar
  23. 23.
    Squire, L.R.: On the course of forgetting in very long-term-memory. J. Exp. Psychol. Learn. 15(2), 241–245 (1989)CrossRefGoogle Scholar
  24. 24.
    The Verge. Evernote resets all passwords after user information is stolen in security breach (2013). Accessed 16 February 2014
  25. 25.
    Willshaw, D.J., Buckingham, J.T.: An assessment of Marrs theory of the hippocampus as a temporary memory store. Philos. Trans. R. Soc. Lond. B. Biol. Sci. 329(1253), 205–215 (1990)CrossRefGoogle Scholar
  26. 26.
    Woźniak, P.A., Gorzelańczyk, E.J.: Optimization of repetition spacing in the practice of learning. Acta Neurobiol. Exp. 54(1), 59–62 (1994)Google Scholar
  27. 27.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Norwegian Institute of Science and TechnologyTrondheimNorway

Personalised recommendations