助记口令创建策略综述

doi:10.11896/jsjkx.240300100

摘要/Abstract

摘要： 口令身份验证因其简单性和可部署性而成为当今最常见的身份验证方式。随着口令猜测攻击算法的不断改进,对口令强度的要求也越来越高。强口令虽然能够提高安全性,但往往难以记忆,而易记口令则容易受到破解的威胁,因此选择既强大又易于记忆的口令成为一项挑战。随着每个用户的账户数量不断增加,需要记住的口令数量也在增加,这给人类记忆带来了明显的压力,因此寻找生成易记强口令的方法成为必须。在过去的二十多年里,许多研究者提出了基于不同助记工具的助记口令创建策略。故对现有的助记口令创建策略进行综述,首先针对口令创建背景、口令强度进行概况总结,其次根据助记工具的特点,将其分为基于句子、基于单词、基于键盘和其他特殊类型4类,并对每种类型进行了深入综述;最后,对助记口令创建策略进行了总结和展望,并指出了未来的研究方向和发展趋势。

关键词: 助记口令, 口令强度, 口令策略, 可记忆性, 安全性

Abstract: Password authentication is the most common authentication method today due to its good simplicity and nice deployability.As algorithms for password guessing attacks continue to improve,the requirement for strong passwords is also increasing.Strong passwords,while improving security,are often difficult to memorize,while easy-to-remember passwords are vulnerable to cracking threats,making it a challenge to choose passwords that are both strong and easy to remember.As the number of accounts per user continues to grow,so does the number of passphrases that need to be memorized,placing a noticeable strain on human memory and making it necessary to find ways to generate strong passphrases that are easy to remember.Over the past two decades,many researchers have proposed strategies for creating mnemonic passphrases based on different mnemonic tools.Therefore,a review of existing mnemonic password creation strategies is conducted.Firstly,an overview is summarized for the background of password creation and the strength of the password.Secondly,according to the characteristics of mnemonic tools,they are categorized into four types:sentence-based,word-based,keyboard-based and other special types,and each type is reviewed in depth.Finally,the strategies for creating mnemonic passphrases are summarized and outlooked,and future research directions and development trends are pointed out.

Key words: Mnemonic passwords, Password strength, Password strategy, Memorability, Security

中图分类号:

TP309

陈佳敏, 蒋惠萍. 助记口令创建策略综述[J]. 计算机科学, 2024, 51(11A): 240300100-11. https://doi.org/10.11896/jsjkx.240300100

CHEN Jiamin, JIANG Huiping. Overview of Mnemonic Password Creation Policies[J]. Computer Science, 2024, 51(11A): 240300100-11. https://doi.org/10.11896/jsjkx.240300100

参考文献

[1]BONNEAU J,HERLEY C,VAN OORSCHOT P C,et al.Passwords and the evolution of imperfect authentication[J].Communications of the ACM,2015,58(7):78-87.
[2]BONNEAU J,HERLEY C,VAN OORSCHOTP C,et al.Thequest to replace passwords:A framework for comparative evaluation of web authentication schemes[C]//2012 IEEE Sympo-sium on Security and Privacy.IEEE,2012:553-567.
[3]UR B,NOMA F,BEES J,et al.I Added‘!'at the End to Make It Secure:Observing Password Creation in the Lab[C]//Ele-venth Symposium on Usable Privacy and Security(SOUPS 2015).2015:123-140.
[4]WASH R,RADER E,BERMAN R,et al.Understanding pass-word choices:How frequently entered passwords are re-used across websites[C]//Twelfth Symposium on Usable Privacy and Security(SOUPS 2016).2016:175-188.
[5]GUO Y,ZHANG Z.LPSE:Lightweight password-strength estimation for password meters[J].Computers & Security,2018,73:507-518.
[6]KOMANDURI S,SHAY R,KELLEYP G,et al.Of passwordsand people:measuring the effect of password-composition policies[C]// Proceedings of the Sigchi Conference on Human Factors in Computing Systems.2011:2595-2604.
[7]WANG D,WANG P.The emperor's new password creationpolicies:An evaluation of leading web services and the effect of role in resisting against online guessing[C]//Computer Security－ESORICS 2015:20th European Symposium on Research in Computer Security,Vienna,Austria,Part II 20.Springer International Publishing,2015:456-477.
[8]SHAY R,KOMANDURI S,KELLEY P G,et al.Encountering stronger password requirements:user attitudes and behaviors[C]//Proceedings of the Sixth Symposium on Usable Privacy and ecurity.2010:1-20.
[9]WEIR M,AGGARWAL S,COLLINSM,et al.Testing metricsfor password creation policies by attacking large sets of revealed passwords[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.2010:162-175.
[10]INGLESANT P G,SASSE M A.The true cost of unusablepassword policies:password use in the wild[C]//Proceedings of the Sigchi Conference on Human Factors in Computing Systems.2010:383-392.
[11]ADAMS A,SASSE M A.Users are not the enemy[J].Communications of the ACM,1999,42(12):40-46.
[12]SEGRETI S M,MELICHER W,KOMANDURI S,et al.Diversify to survive:Making passwords stronger with adaptive policies[C]//Thirteenth Symposium on Usable Privacy and Security(SOUPS 2017).2017:1-12.
[13]HABIB H,COLNAGO J,MELICHER W,et al.Password creation in the presence of blacklists[C]//NDSS Symposium 2017.2017.
[14]BONNEAU J,SHUTOVAE.Linguistic properties of multi-word passphrases[C]//International Conference on Financial Cryptography and Data Security.Berlin,Heidelberg:Springer,2012:1-12.
[15]SHAY R,KELLEY P G,KOMANDURI S,et al.Correct horse battery staple:Exploring the usability of system-assigned passphrases[C]//Proceedings of the Eighth Symposium on Usable Privacy Snd security.2012:1-20.
[16]KUO C,ROMANOSKY S,CRANOR L F.Human selection of mnemonic phrase-based passwords[C]//Proceedings of the Se-cond Symposium on Usable Privacy and Security.2006:67-78.
[17]YAN J,BLACKWELL A,ANDERSON R,et al.Passwordmemorability and security:Empirical results[J].IEEE Security &Privacy,2004,2(5):25-31.
[18]FORGETA.A world with many authentication schemes[D].Ottawa:Carleton University,2013.
[19]GOLDBERG J,HAGMAN J,SAZAWALV.Doodling our way to better authentication[C]//Extended Abstracts on Human Factors in Computing Systems(CHI'02).2002:868-869.
[20]THORPE J,MACRAE B,SALEHI-ABARI A.Usability andsecurity evaluation of GeoPass:a geographic location-password scheme[C]//Proceedings of the Ninth Symposium on Usable Privacy and Security.2013:1-14.
[21]HERLEY C,VAN OORSCHOT P C,PATRICK A S.Pass-words:If we're so smart,why are we still using them?[C]//Financial Cryptography and Data Security:13th International Conference,FC 2009,Accra Beach,Barbados,Revised Selected Papers 13.Springer Berlin Heidelberg,2009:230-237.
[22]WIEDENBECK S,WATERS J,BIRGETJ C,et al.Authentication using graphical passwords:Effects of tolerance and image choice[C]//Proceedings of the 2005 Symposium on Usable Privacy and Security.2005:1-12.
[23]CARSTENS D S,MCCAULEY-BELL P R,MALONEL C,et al.Evaluation of the human impact of password authentication practices on information security[J].Informing Science,2004,7:67-85.
[24]SUMMERS W C,BOSWORTH E.Password policy:the good,the bad,and the ugly[C]//Proceedings of the Winter International Synposium on Information and Communication Technologies.2004:1-6.
[25]BARTON B F,BARTONM S.User-friendly password methods for computer-mediated information systems[J].Computers & Security,1984,3(3):186-195.
[26]FLORENCIO D,HERLEY C.A large-scale study of web password habits[C]//Proceedings of the 16th International Confe-rence on World Wide Web.2007:657-666.
[27]DHAMIJA R,PERRIG A.Deja {Vu--A} User Study:UsingImages for Authentication[C]//9th USENIX Security Symposium(USENIX Security 00).2000.
[28]GROVES J.Truffles－Myth or Strategic Plan?Sniffing outsome bizarre and inspired ways of motivating people to remember their passwords[J].Computer Fraud & Security,2002,2002(1):9-12.
[29]SCHWEITZER D,BOLENG J,HUGHES C,et al.Visualizing keyboard pattern passwords[J].Information Visualization,2011,10(2):127-133.
[30]HOROWITZA S.Top 10 security mistakes[J].Computer world,2001,35(28):38-38.
[31]ZHANG L,MCDOWELL W C.Am I really at risk? Determi-nants of online users' intentions to use strong passwords[J].Journal of Internet Commerce,2009,8(3/4):180-197.
[32]KELLEY P G,KOMANDURI S,MAZUREK M L,et al.Guess again(and again and again):Measuring password strength by simulating password-cracking algorithms[C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:523-537.
[33]SCARFONE K,SOUPPAYA M.Guide to enterprise passwordmanagement(draft)[J].NIST Special Publication,2009,800(118):800-118.
[34]NIELSEN G,VEDEL M,JENSEN C D.Improving usability of passphrase authentication[C]//2014 Twelfth Annual International Conference on Privacy,Security and Trust.IEEE,2014:189-198.
[35]MARKERT P,BAILEY D V,GOLLA M,et al.This pin can be easily guessed:Analyzing the security of smartphone unlock pins[C]//2020 IEEE Symposium on Security and Privacy(SP).IEEE,2020:286-303.
[36]NARAYANAN A,SHMATIKOV V.Fast dictionary attacks on passwords using time-space tradeoff[C]//Proceedings of the 12th ACM Conference on Computer and Communications Secu-rity.2005:364-372.
[37]WALIA K S,SHENOY S,CHENG Y.An empirical analysis on the usability and security of passwords[C]//2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science(IRI).IEEE,2020:1-8.
[38]GRASSI P,GARCIA M,FENTONJ.Digital identity guidelines[R].National Institute of Standards and Technology,2020.
[39]KEITH M,SHAO B,STEINBARTP J.The usability of passphrases for authentication:An empirical field study[J].International Journal of Human-computer Studies,2007,65(1):17-28.
[40]VU K P L,PROCTOR R W,BHARGAV-SPANTZEL A,et al.Improving password security and memorability to protect personal and organizational information[J].International Journal of Human-computer Studies,2007,65(8):744-757.
[41]NELSON D L,VU K P L.Effects of a mnemonic technique on subsequent recall of assigned and self-generated passwords[C]//Human Interface and the Management of Information.Designing Information Environments:Symposium on Human Interface 2009,Held as Part of HCI International 2009,San Diego,CA,USA,Part I.Springer Berlin Heidelberg,2009:693-701.
[42]ZHANG J,LUO X,AKKALADEVI S,et al.Improving multiple-password recall:an empirical study[J].European Journal of Information Systems,2009,18(2):165-176.
[43]YAN J,BLACKWELL A,ANDERSON R,et al.The memorability and security of passwords-some empirical results[R].University of Cambridge,Computer Laboratory,2000.
[44]VU K P L,TAI B L,BHARGAVA,et al.Promoting memorability and security of passwords through sentence generation[C]//Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Sage CA:Los Angeles,CA:SAGE Publications,2004,48(13):1478-1482.
[45]ZHANG Y,XIAN H Q,YU A M.Chinese sentence-based password mnemonic strategy[J].Science Technology and Enginee-ring,2019,19(35):253-258.
[46]CHEN X,SHU H,WU N,et al.Stages in learning to pronounce Chinese characters[J].Psychology in the Schools,2003,40(1):115-124.
[47]KOMIYA K,NAKAJIMA T.Memorability of Japanese Mne-monic Passwords[C]//Cross-Cultural Design.Experience and Product Design Across Cultures:13th International Conference(CCD 2021),Held as Part of the 23rd HCI International Conference,HCII 2021,Virtual Event,Part I 23.Springer International Publishing,2021:420-429.
[48]IGARASHI Y.The changing role of katakana in the Japanese writing system[D].Canada:University of Victoria,2007.
[49]KUBOZONOH.Mora and syllable[M]//The Handbook of Japanese Linguistics.2017:31-61.
[50]SOTIROVA-KOHLI M,ROSEN D H,SMITH S M,et al.Empirical study of Kanji as archetypal images:understanding the collective unconscious as part of the Japanese language[J].Journal of Analytical Psychology,2011,56(1):109-132.
[51]WYDELL T N,PATTERSON K E,HUMPHREYSG W.Phonologically mediated access to meaning for kanji:Is a rows still a rose in Japanese kanji?[J].Journal of Experimental Psycho-logy:Learning,Memory,and Cognition,1993,19(3):491.
[52]FURNELLS.An assessment of website password practices[J].Computers & Security,2007,26(7/8):445-451.
[53]BONNEAU J.The science of guessing:analyzing an anonymizedcorpus of 70 million passwords[C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:538-552.
[54]MILLER G A.The magical number seven,plus or minus two:Some limits on our capacity for processing information[J].Psychological Review,1956,63(2):81.
[55]JEYARAMAN S,TOPKARA U.Have the cake and eat it too-infusing usability into text-password based authentication systems[C]//21st Annual Computer Security Applications Confe-rence(ACSAC'05).IEEE,2005:10 pp.-482.
[56]DOR D.On newspaper headlines as relevance optimizers[J].Journal of Pragmatics,2003,35(5):695-721.
[57]MALONE D,MAHER K.Investigating the distribution of password choices[C]//Proceedings of the 21st International Confe-rence on World Wide Web.2012:301-310.
[58]FORGET A,BIDDLE R.Memorability of persuasive passwords[M]//Extended Abstracts on Human Factors in Computing Systems(CHI'08).2008:3759-3764.
[59]FORGET A,CHIASSON S,VAN OORSCHOT P C,et al.Improving text passwords through persuasion[C]//Proceedings of the 4th Symposium on Usable Privacy and Security.2008:1-12.
[60]FOGG B J.Persuasive technology:using computers to change what we think and do[J].Ubiquity,2002,2002(December):2.
[61]YEE K P,SITAKER K.Passpet:convenient password management and phishing protection[C]//Proceedings of the Second Symposium on Usable Privacy and Security.2006:32-43.
[62]YILDIRIM M,MACKIE I.Encouraging users to improve password security and memorability[J].International Journal of Information Security,2019,18:741-759.
[63]CLAIR L S,JOHANSEN L,ENCK W,et al.Password exhaus-tion:Predicting the end of password usefulness[C]//Information Systems Security:Second International Conference(ICISS 2006).Kolkata,India,Springer Berlin Heidelberg,2006:37-55.
[64]UR B,BEES J,SEGRETI S M,et al.Do users' perceptions of password security match reality?[C]//Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems.2016:3748-3760.
[65]DENNING T,BOWERS K,VAN DIJK M,et al.Exploring implicit memory for painless password recovery[C]//Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.2011:2615-2618.
[66]UMEJIAKU A P,DHAKAL P,SHENG V S.Balancing Password Security and User Convenience:Exploring the Potential of Prompt Models for Password Generation[J].Electronics,2023,12(10):2159.
[67]SHUKLA V,MISHRA A,AGARWAL S.A new one time password generation method for financial transactions with randomness analysis[C]//Innovations in Electrical and Electronic Engineering(ICEEE 2020).Springer Singapore,2021:713-723.
[68]SHAY R,KOMANDURI S,DURITY A L,et al.Designingpassword policies for strength and usability[J].ACM Transactions on Information and System Security(TISSEC),2016,18(4):1-34.
[69]BHANA B,FLOWERDAY S V.Usability of the login authentication process:passphrases and passwords[J].Information & Computer Security,2022,30(2):280-305.
[70]FORGET A,CHIASSON S,BIDDLE R.Choose your own authentication[C]//Proceedings of the 2015 New Security Paradigms Workshop.2015:1-15.
[71]ONSORODI A H H,KORHAN O.Application of a genetic algorithm to the keyboard layout problem[J].PloS One,2020,15(1):e0226611.
[72]SCHWEITZER D,BOLENG J,HUGHES C,et al.Visualizing keyboard pattern passwords[J].Information Visualization,2011,10(2):127-133.
[73]SANDNES F E,AUBERT A.Bimanual text entry using gamecontrollers:relying on users' spatial familiarity with QWERTY[J].Interacting with Computers,2007,19(2):140-150.
[74]YE B,GUO Y,ZHANG L,et al.An empirical study of mnemo-nic password creation tips[J].Computers & Security,2019,85:41-50.
[75]SHELTON A L,MCNAMARA T P.Systems of spatial refe-rence in human memory[J].Cognitive Psychology,2001,43(4):274-310.
[76]GUO Y,ZHANG Z,GUO Y.Optiwords:A new password policy for creating memorable and strong passwords[J].Computers & Security,2019,85:423-435.
[77]HOCKLEY W E.The picture superiority effect in associativerecognition[J].Memory & Cognition,2008,36(7):1351-1359.
[78]UELLENBECK S,DÜRMUTH M,WOLF C,et al.Quantifying the security of graphical passwords:The case of android unlock patterns[C]//Proceedings of the 2013 ACM SIGSAC Confe-rence on Computer & Communication Security.2013:161-172.
[79]SONG J,WANG D,YUN Z,et al.Alphapwd:A password ge-neration strategy based on mnemonic shape[J].IEEE Access,2019,7:119052-119059.
[80]FERGUSON D,DUNCAN J.Keyboard design and operatingposture[J].Ergonomics,1974,17(6):731-744.
[81]LYU S,YAO Q,SONG J.AvoidPwd:A mnemonic password generation strategy based on keyboard transformation[J].China Communications,2022,19(10):92-101.
[82]CHOU H C,LEE H C,HSUEHC W,et al.Password cracking based on special keyboard patterns[J].International Journal of Innovative Computing,Information and Control,2012,8(1):387-402.
[83]KOMANDURIS,SHAY R,CRANOR L F,et al.Telepath-words:preventing weak passwords by reading user's minds[C]//Proceedings of the 23rd USENIX Conference on Security Symposium(SEC'14).2014:591-606.
[84]WEISS R,DE LUCA A.PassShapes:utilizing stroke based authentication to increase password memorability[C]//Procee-dings of the 5th Nordic Conference on Human-computer Interaction:Building Bridges.2008:383-392.
[85]FRAUNE M R,JUANG K A,GREENSTEIN J S,et al.Employing user-created pictures to enhance the recall of system-gene-rated mnemonic phrases and the security of passwords[C]//Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Sage CA:Los Angeles,CA:SAGE Publications,2013,57(1):419-423.
[86]BISHOP M.Password management[C]//COMPCON Spring'91Digest of Papers.IEEE,1991:167-169.
[87]HUH J H,OH S,KIM H,et al.Surpass:System-initiated user-replaceable passwords[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.2015:170-181.
[88]MCLENNAN C T,MANNING P,TUFT S E.An evaluation of the Game Changer Password System:A new approach to password security[J].International Journal of Human-Computer Studies,2017,100:1-17.
[89]BRUMENB.Security analysis of game changer password system[J].International Journal of Human-Computer Studies,2019,126:44-52.
[90]ZIMMERMANN V,GERBER N.The password is dead,longlive the password-A laboratory study on user perceptions of authentication schemes[J].International Journal of Human-Computer Studies,2020,133:26-44.
[91]WANG P,WANG D,HUANG X Y.Advances in Password Security[J].Journal of Computer Research and Development,2016,53(10):2173-2188.
[92]WOODS N,SIPONEN M.How memory anxiety can influence password security behavior[J].Computers & Security,2024,137:103589.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed