TY - GEN
T1 - Towards reliable storage of 56-bit secrets in human memory
AU - Bonneau, Joseph
AU - Schechter, Stuart
PY - 2014/1/1
Y1 - 2014/1/1
N2 - Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".
AB - Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".
UR - http://www.scopus.com/inward/record.url?scp=85060180093&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85060180093&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 23rd USENIX Security Symposium
SP - 607
EP - 623
BT - Proceedings of the 23rd USENIX Security Symposium
PB - USENIX Association
T2 - 23rd USENIX Security Symposium
Y2 - 20 August 2014 through 22 August 2014
ER -