Naturally Rehearsing Passwords

  • Jeremiah Blocki
  • Manuel Blum
  • Anupam Datta
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8270)


We introduce quantitative usability and security models to guide the design of password management schemes — systematic strategies to help users create and remember multiple passwords. In the same way that security proofs in cryptography are based on complexity-theoretic assumptions (e.g., hardness of factoring and discrete logarithm), we quantify usability by introducing usability assumptions. In particular, password management relies on assumptions about human memory, e.g., that a user who follows a particular rehearsal schedule will successfully maintain the corresponding memory. These assumptions are informed by research in cognitive science and can be tested empirically. Given rehearsal requirements and a user’s visitation schedule for each account, we use the total number of extra rehearsals that the user would have to do to remember all of his passwords as a measure of the usability of the password scheme. Our usability model leads us to a key observation: password reuse benefits users not only by reducing the number of passwords that the user has to memorize, but more importantly by increasing the natural rehearsal rate for each password. We also present a security model which accounts for the complexity of password management with multiple accounts and associated threats, including online, offline, and plaintext password leak attacks. Observing that current password management schemes are either insecure or unusable, we present Shared Cues — a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. The construction uses the Chinese Remainder Theorem to achieve these competing goals.


Password Management Scheme Security Model Usability Model Chinese Remainder Theorem Sufficient Rehearsal Assumption Visitation Schedule 


  1. 1.
    Amazon ec2 pricing, (retrieved October 22, 2012)
  2. 2.
    Cert incident note in-98.03: Password cracking activity (July 1998), (retrieved August 16, 2011)
  3. 3.
    Geek to live: Choose (and remember) great passwords (July 2006), (retrieved September 27, 2012)
  4. 4.
    Rockyou hack: From bad to worse (December 2009), (retrieved September 27, 2012)
  5. 5.
    Oh man, what a day! an update on our security breach (April 2010), (retrieved August 18, 2011)
  6. 6.
    Sarah palin vs the hacker (May 2010), (retrieved September 9, 2012)
  7. 7.
    Nato site hacked (June 2011), (retrieved August 16, 2011)
  8. 8.
    Update on playstation network/qriocity services (April 2011), (retrieved May 22, 2012)
  9. 9.
    Apple security blunder exposes lion login passwords in clear text (May 2012), (retrieved May 22, 2012)
  10. 10.
    Data breach at 100k plaintext passwords (September 2012), (retrieved September 27, 2012)
  11. 11.
    An update on linkedin member passwords compromised (June 2012), (retrieved September 27, 2012)
  12. 12.
    Zappos customer accounts breached (January 2012), (retrieved May 22, 2012)
  13. 13.
    Acquisti, A., Gross, R.: Imagined communities: awareness, information sharing, and privacy on the facebook. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 36–58. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Anderson, J., Matessa, M., Lebiere, C.: Act-r: A theory of higher level cognition and its relation to visual attention. Human-Computer Interaction 12(4), 439–462 (1997)CrossRefGoogle Scholar
  15. 15.
    Anderson, J.R., Schooler, L.J.: Reflections of the environment in memory. Psychological Science 2(6), 396–408 (1991)CrossRefGoogle Scholar
  16. 16.
    Asmuth, C., Bloom, J.: A modular approach to key safeguarding. IEEE Transactions on Information Theory 29(2), 208–210 (1983)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Baddeley, A.: Human memory: Theory and practice. Psychology Pr. (1997)Google Scholar
  18. 18.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  19. 19.
    Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR) 44(4), 19 (2012)CrossRefGoogle Scholar
  20. 20.
    Biddle, S.: Anonymous leaks 90,000 military email accounts in latest antisec attack (July 2011), (retrieved August 16, 2011)
  21. 21.
    Blocki, J., Blum, M., Datta, A.: Naturally rehearsing passwords. CoRR abs/1302.5122 (2013)Google Scholar
  22. 22.
    Blocki, J., Komanduri, S., Procaccia, A., Sheffet, O.: Optimizing password composition policiesGoogle Scholar
  23. 23.
    Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: Proceedings of the 21st USENIX Conference on Security Symposium, pp. 33–33. USENIX Association (2012)Google Scholar
  24. 24.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552. IEEE (2012)Google Scholar
  25. 25.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)Google Scholar
  26. 26.
    Boztas, S.: Entropies, guessing, and cryptography. Department of Mathematics, Royal Melbourne Institute of Technology. Tech. Rep. 6 (1999)Google Scholar
  27. 27.
    Brand, S. Department of defense password management guidelineGoogle Scholar
  28. 28.
    Brostoff, S., Sasse, M.: Are Passfaces more usable than passwords: A field trial investigation. In: People and Computers XIV-Usability or Else: Proceedings of HCI, pp. 405–424 (2000)Google Scholar
  29. 29.
    Burnett, M.: Perfect passwords: selection, protection, authentication. Syngress Publishing (2005)Google Scholar
  30. 30.
    Center, I.: Consumer password worst practices. Imperva (White Paper) (2010)Google Scholar
  31. 31.
    Danescu-Niculescu-Mizil, C., Cheng, J., Kleinberg, J., Lee, L.: You had me at hello: How phrasing affects memorability. In: Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics: Long Papers, vol. 1, pp. 892–901. Association for Computational Linguistics (2012)Google Scholar
  32. 32.
    Ding, C., Pei, D., Salomaa, A.: Chinese remainder theorem. World Scientific (1996)Google Scholar
  33. 33.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  34. 34.
    Foer, J.: Moonwalking with Einstein: The Art and Science of Remembering Everything. Penguin Press (2011)Google Scholar
  35. 35.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006, pp. 44–55. ACM, New York (2006)CrossRefGoogle Scholar
  36. 36.
    Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  37. 37.
    Kohonen, T.: Associative memory: A system-theoretical approach. Springer, Berlin (1977)CrossRefzbMATHGoogle Scholar
  38. 38.
    Komanduri, S., Shay, R., Kelley, P., Mazurek, M., Bauer, L., Christin, N., Cranor, L., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the 2011 Annual Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)Google Scholar
  39. 39.
    Kruger, H., Steyn, T., Medlin, B., Drevin, L.: An empirical assessment of factors impeding effective password management. Journal of Information Privacy and Security 4(4), 45–59 (2008)Google Scholar
  40. 40.
    Marr, D.: Simple memory: a theory for archicortex. Philosophical Transactions of the Royal Society of London. Series B, Biological Sciences, 23–81 (1971)Google Scholar
  41. 41.
    Massey, J.: Guessing and entropy. In: Proceedings of the 1994 IEEE International Symposium on Information Theory, p. 204. IEEE (1994)Google Scholar
  42. 42.
    Monroe, R.: Xkcd: Password strength, (retrieved August 16, 2011)
  43. 43.
    Nisan, N., Wigderson, A.: Hardness vs randomness. Journal of Computer and System Sciences 49(2), 149–167 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  44. 44.
    Pliam, J.O.: On the incomparability of entropy and marginal guesswork in brute-force attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 67–79. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  45. 45.
    Provos, N., Mazieres, D.: Bcrypt algorithmGoogle Scholar
  46. 46.
    Radke, K., Boyd, C., Nieto, J.G., Brereton, M.: Towards a secure human-and-computer mutual authentication protocol. In: Proceedings of the Tenth Australasian Information Security Conference (AISC 2012), vol. 125, pp. 39–46. Australian Computer Society Inc. (2012)Google Scholar
  47. 47.
    Rasch, G.: The poisson process as a model for a diversity of behavioral phenomena. In: International Congress of Psychology (1963)Google Scholar
  48. 48.
    Scarfone, K., Souppaya, M.: Guide to enterprise password management (draft). National Institute of Standards and Technology 800-188 6, 38 (2009)Google Scholar
  49. 49.
    Schechter, S., Brush, A., Egelman, S.: It’s no secret. measuring the security and reliability of authentication via ‘secret’ questions. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 375–390. IEEE (2009)Google Scholar
  50. 50.
    Shay, R., Kelley, P., Komanduri, S., Mazurek, M., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.: Correct horse battery staple: Exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 7. ACM (2012)Google Scholar
  51. 51.
    Singer, A.: No plaintext passwords. The Magazine of Usenix & Sage 26(7) (November 2001) (retrieved August 16, 2011)Google Scholar
  52. 52.
    Spence, J.: The memory palace of Matteo Ricci. Penguin Books (1985)Google Scholar
  53. 53.
    Squire, L.: On the course of forgetting in very long-term memory. Journal of Experimental Psychology: Learning, Memory, and Cognition 15(2), 241 (1989)CrossRefGoogle Scholar
  54. 54.
    Standingt, L.: Learning 10,000 pictures. Quarterly Journal of Experimental Psychology 5(20), 7–22 (1973)Google Scholar
  55. 55.
    Stein, J.: Pimp my password. Time, 62 (August 29, 2011)Google Scholar
  56. 56.
    Valiant, L.: Memorization and association on a realistic neural model. Neural Computation 17(3), 527–555 (2005)CrossRefzbMATHGoogle Scholar
  57. 57.
    van Rijn, H., van Maanen, L., van Woudenberg, M.: Passing the test: Improving learning gains by balancing spacing and testing effects. In: Proceedings of the 9th International Conference of Cognitive Modeling (2009)Google Scholar
  58. 58.
    Von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 646–646. Springer, Heidelberg (2003)Google Scholar
  59. 59.
    Willshaw, D., Buckingham, J.: An assessment of marr’s theory of the hippocampus as a temporary memory store. Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences 329(1253), 205 (1990)CrossRefGoogle Scholar
  60. 60.
    Wozniak, P., Gorzelanczyk, E.J.: Optimization of repetition spacing in the practice of learning. Acta Neurobiologiae Experimentalis 54, 59–59 (1994)Google Scholar
  61. 61.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security & Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jeremiah Blocki
    • 1
  • Manuel Blum
    • 1
  • Anupam Datta
    • 1
  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations