Towards reliable storage of 56-bit secrets in human memory

Joseph Bonneau, Stuart Schechter

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".

Original languageEnglish (US)
Title of host publicationProceedings of the 23rd USENIX Security Symposium
PublisherUSENIX Association
Pages607-623
Number of pages17
ISBN (Electronic)9781931971157
StatePublished - Jan 1 2014
Event23rd USENIX Security Symposium - San Diego, United States
Duration: Aug 20 2014Aug 22 2014

Publication series

NameProceedings of the 23rd USENIX Security Symposium

Conference

Conference23rd USENIX Security Symposium
CountryUnited States
CitySan Diego
Period8/20/148/22/14

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Fingerprint Dive into the research topics of 'Towards reliable storage of 56-bit secrets in human memory'. Together they form a unique fingerprint.

  • Cite this

    Bonneau, J., & Schechter, S. (2014). Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium (pp. 607-623). (Proceedings of the 23rd USENIX Security Symposium). USENIX Association.