助记口令创建策略综述

doi:10.11896/jsjkx.240300100

Abstract

Abstract: Password authentication is the most common authentication method today due to its good simplicity and nice deployability.As algorithms for password guessing attacks continue to improve,the requirement for strong passwords is also increasing.Strong passwords,while improving security,are often difficult to memorize,while easy-to-remember passwords are vulnerable to cracking threats,making it a challenge to choose passwords that are both strong and easy to remember.As the number of accounts per user continues to grow,so does the number of passphrases that need to be memorized,placing a noticeable strain on human memory and making it necessary to find ways to generate strong passphrases that are easy to remember.Over the past two decades,many researchers have proposed strategies for creating mnemonic passphrases based on different mnemonic tools.Therefore,a review of existing mnemonic password creation strategies is conducted.Firstly,an overview is summarized for the background of password creation and the strength of the password.Secondly,according to the characteristics of mnemonic tools,they are categorized into four types:sentence-based,word-based,keyboard-based and other special types,and each type is reviewed in depth.Finally,the strategies for creating mnemonic passphrases are summarized and outlooked,and future research directions and development trends are pointed out.

Key words: Mnemonic passwords, Password strength, Password strategy, Memorability, Security

CLC Number:

TP309

CHEN Jiamin, JIANG Huiping. Overview of Mnemonic Password Creation Policies[J].Computer Science, 2024, 51(11A): 240300100-11.

References

[1]BONNEAU J,HERLEY C,VAN OORSCHOT P C,et al.Passwords and the evolution of imperfect authentication[J].Communications of the ACM,2015,58(7):78-87.
[2]BONNEAU J,HERLEY C,VAN OORSCHOTP C,et al.Thequest to replace passwords:A framework for comparative evaluation of web authentication schemes[C]//2012 IEEE Sympo-sium on Security and Privacy.IEEE,2012:553-567.
[3]UR B,NOMA F,BEES J,et al.I Added‘!'at the End to Make It Secure:Observing Password Creation in the Lab[C]//Ele-venth Symposium on Usable Privacy and Security(SOUPS 2015).2015:123-140.
[4]WASH R,RADER E,BERMAN R,et al.Understanding pass-word choices:How frequently entered passwords are re-used across websites[C]//Twelfth Symposium on Usable Privacy and Security(SOUPS 2016).2016:175-188.
[5]GUO Y,ZHANG Z.LPSE:Lightweight password-strength estimation for password meters[J].Computers & Security,2018,73:507-518.
[6]KOMANDURI S,SHAY R,KELLEYP G,et al.Of passwordsand people:measuring the effect of password-composition policies[C]// Proceedings of the Sigchi Conference on Human Factors in Computing Systems.2011:2595-2604.
[7]WANG D,WANG P.The emperor's new password creationpolicies:An evaluation of leading web services and the effect of role in resisting against online guessing[C]//Computer Security－ESORICS 2015:20th European Symposium on Research in Computer Security,Vienna,Austria,Part II 20.Springer International Publishing,2015:456-477.
[8]SHAY R,KOMANDURI S,KELLEY P G,et al.Encountering stronger password requirements:user attitudes and behaviors[C]//Proceedings of the Sixth Symposium on Usable Privacy and ecurity.2010:1-20.
[9]WEIR M,AGGARWAL S,COLLINSM,et al.Testing metricsfor password creation policies by attacking large sets of revealed passwords[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.2010:162-175.
[10]INGLESANT P G,SASSE M A.The true cost of unusablepassword policies:password use in the wild[C]//Proceedings of the Sigchi Conference on Human Factors in Computing Systems.2010:383-392.
[11]ADAMS A,SASSE M A.Users are not the enemy[J].Communications of the ACM,1999,42(12):40-46.
[12]SEGRETI S M,MELICHER W,KOMANDURI S,et al.Diversify to survive:Making passwords stronger with adaptive policies[C]//Thirteenth Symposium on Usable Privacy and Security(SOUPS 2017).2017:1-12.
[13]HABIB H,COLNAGO J,MELICHER W,et al.Password creation in the presence of blacklists[C]//NDSS Symposium 2017.2017.
[14]BONNEAU J,SHUTOVAE.Linguistic properties of multi-word passphrases[C]//International Conference on Financial Cryptography and Data Security.Berlin,Heidelberg:Springer,2012:1-12.
[15]SHAY R,KELLEY P G,KOMANDURI S,et al.Correct horse battery staple:Exploring the usability of system-assigned passphrases[C]//Proceedings of the Eighth Symposium on Usable Privacy Snd security.2012:1-20.
[16]KUO C,ROMANOSKY S,CRANOR L F.Human selection of mnemonic phrase-based passwords[C]//Proceedings of the Se-cond Symposium on Usable Privacy and Security.2006:67-78.
[17]YAN J,BLACKWELL A,ANDERSON R,et al.Passwordmemorability and security:Empirical results[J].IEEE Security &Privacy,2004,2(5):25-31.
[18]FORGETA.A world with many authentication schemes[D].Ottawa:Carleton University,2013.
[19]GOLDBERG J,HAGMAN J,SAZAWALV.Doodling our way to better authentication[C]//Extended Abstracts on Human Factors in Computing Systems(CHI'02).2002:868-869.
[20]THORPE J,MACRAE B,SALEHI-ABARI A.Usability andsecurity evaluation of GeoPass:a geographic location-password scheme[C]//Proceedings of the Ninth Symposium on Usable Privacy and Security.2013:1-14.
[21]HERLEY C,VAN OORSCHOT P C,PATRICK A S.Pass-words:If we're so smart,why are we still using them?[C]//Financial Cryptography and Data Security:13th International Conference,FC 2009,Accra Beach,Barbados,Revised Selected Papers 13.Springer Berlin Heidelberg,2009:230-237.
[22]WIEDENBECK S,WATERS J,BIRGETJ C,et al.Authentication using graphical passwords:Effects of tolerance and image choice[C]//Proceedings of the 2005 Symposium on Usable Privacy and Security.2005:1-12.
[23]CARSTENS D S,MCCAULEY-BELL P R,MALONEL C,et al.Evaluation of the human impact of password authentication practices on information security[J].Informing Science,2004,7:67-85.
[24]SUMMERS W C,BOSWORTH E.Password policy:the good,the bad,and the ugly[C]//Proceedings of the Winter International Synposium on Information and Communication Technologies.2004:1-6.
[25]BARTON B F,BARTONM S.User-friendly password methods for computer-mediated information systems[J].Computers & Security,1984,3(3):186-195.
[26]FLORENCIO D,HERLEY C.A large-scale study of web password habits[C]//Proceedings of the 16th International Confe-rence on World Wide Web.2007:657-666.
[27]DHAMIJA R,PERRIG A.Deja {Vu--A} User Study:UsingImages for Authentication[C]//9th USENIX Security Symposium(USENIX Security 00).2000.
[28]GROVES J.Truffles－Myth or Strategic Plan?Sniffing outsome bizarre and inspired ways of motivating people to remember their passwords[J].Computer Fraud & Security,2002,2002(1):9-12.
[29]SCHWEITZER D,BOLENG J,HUGHES C,et al.Visualizing keyboard pattern passwords[J].Information Visualization,2011,10(2):127-133.
[30]HOROWITZA S.Top 10 security mistakes[J].Computer world,2001,35(28):38-38.
[31]ZHANG L,MCDOWELL W C.Am I really at risk? Determi-nants of online users' intentions to use strong passwords[J].Journal of Internet Commerce,2009,8(3/4):180-197.
[32]KELLEY P G,KOMANDURI S,MAZUREK M L,et al.Guess again(and again and again):Measuring password strength by simulating password-cracking algorithms[C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:523-537.
[33]SCARFONE K,SOUPPAYA M.Guide to enterprise passwordmanagement(draft)[J].NIST Special Publication,2009,800(118):800-118.
[34]NIELSEN G,VEDEL M,JENSEN C D.Improving usability of passphrase authentication[C]//2014 Twelfth Annual International Conference on Privacy,Security and Trust.IEEE,2014:189-198.
[35]MARKERT P,BAILEY D V,GOLLA M,et al.This pin can be easily guessed:Analyzing the security of smartphone unlock pins[C]//2020 IEEE Symposium on Security and Privacy(SP).IEEE,2020:286-303.
[36]NARAYANAN A,SHMATIKOV V.Fast dictionary attacks on passwords using time-space tradeoff[C]//Proceedings of the 12th ACM Conference on Computer and Communications Secu-rity.2005:364-372.
[37]WALIA K S,SHENOY S,CHENG Y.An empirical analysis on the usability and security of passwords[C]//2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science(IRI).IEEE,2020:1-8.
[38]GRASSI P,GARCIA M,FENTONJ.Digital identity guidelines[R].National Institute of Standards and Technology,2020.
[39]KEITH M,SHAO B,STEINBARTP J.The usability of passphrases for authentication:An empirical field study[J].International Journal of Human-computer Studies,2007,65(1):17-28.
[40]VU K P L,PROCTOR R W,BHARGAV-SPANTZEL A,et al.Improving password security and memorability to protect personal and organizational information[J].International Journal of Human-computer Studies,2007,65(8):744-757.
[41]NELSON D L,VU K P L.Effects of a mnemonic technique on subsequent recall of assigned and self-generated passwords[C]//Human Interface and the Management of Information.Designing Information Environments:Symposium on Human Interface 2009,Held as Part of HCI International 2009,San Diego,CA,USA,Part I.Springer Berlin Heidelberg,2009:693-701.
[42]ZHANG J,LUO X,AKKALADEVI S,et al.Improving multiple-password recall:an empirical study[J].European Journal of Information Systems,2009,18(2):165-176.
[43]YAN J,BLACKWELL A,ANDERSON R,et al.The memorability and security of passwords-some empirical results[R].University of Cambridge,Computer Laboratory,2000.
[44]VU K P L,TAI B L,BHARGAVA,et al.Promoting memorability and security of passwords through sentence generation[C]//Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Sage CA:Los Angeles,CA:SAGE Publications,2004,48(13):1478-1482.
[45]ZHANG Y,XIAN H Q,YU A M.Chinese sentence-based password mnemonic strategy[J].Science Technology and Enginee-ring,2019,19(35):253-258.
[46]CHEN X,SHU H,WU N,et al.Stages in learning to pronounce Chinese characters[J].Psychology in the Schools,2003,40(1):115-124.
[47]KOMIYA K,NAKAJIMA T.Memorability of Japanese Mne-monic Passwords[C]//Cross-Cultural Design.Experience and Product Design Across Cultures:13th International Conference(CCD 2021),Held as Part of the 23rd HCI International Conference,HCII 2021,Virtual Event,Part I 23.Springer International Publishing,2021:420-429.
[48]IGARASHI Y.The changing role of katakana in the Japanese writing system[D].Canada:University of Victoria,2007.
[49]KUBOZONOH.Mora and syllable[M]//The Handbook of Japanese Linguistics.2017:31-61.
[50]SOTIROVA-KOHLI M,ROSEN D H,SMITH S M,et al.Empirical study of Kanji as archetypal images:understanding the collective unconscious as part of the Japanese language[J].Journal of Analytical Psychology,2011,56(1):109-132.
[51]WYDELL T N,PATTERSON K E,HUMPHREYSG W.Phonologically mediated access to meaning for kanji:Is a rows still a rose in Japanese kanji?[J].Journal of Experimental Psycho-logy:Learning,Memory,and Cognition,1993,19(3):491.
[52]FURNELLS.An assessment of website password practices[J].Computers & Security,2007,26(7/8):445-451.
[53]BONNEAU J.The science of guessing:analyzing an anonymizedcorpus of 70 million passwords[C]//2012 IEEE Symposium on Security and Privacy.IEEE,2012:538-552.
[54]MILLER G A.The magical number seven,plus or minus two:Some limits on our capacity for processing information[J].Psychological Review,1956,63(2):81.
[55]JEYARAMAN S,TOPKARA U.Have the cake and eat it too-infusing usability into text-password based authentication systems[C]//21st Annual Computer Security Applications Confe-rence(ACSAC'05).IEEE,2005:10 pp.-482.
[56]DOR D.On newspaper headlines as relevance optimizers[J].Journal of Pragmatics,2003,35(5):695-721.
[57]MALONE D,MAHER K.Investigating the distribution of password choices[C]//Proceedings of the 21st International Confe-rence on World Wide Web.2012:301-310.
[58]FORGET A,BIDDLE R.Memorability of persuasive passwords[M]//Extended Abstracts on Human Factors in Computing Systems(CHI'08).2008:3759-3764.
[59]FORGET A,CHIASSON S,VAN OORSCHOT P C,et al.Improving text passwords through persuasion[C]//Proceedings of the 4th Symposium on Usable Privacy and Security.2008:1-12.
[60]FOGG B J.Persuasive technology:using computers to change what we think and do[J].Ubiquity,2002,2002(December):2.
[61]YEE K P,SITAKER K.Passpet:convenient password management and phishing protection[C]//Proceedings of the Second Symposium on Usable Privacy and Security.2006:32-43.
[62]YILDIRIM M,MACKIE I.Encouraging users to improve password security and memorability[J].International Journal of Information Security,2019,18:741-759.
[63]CLAIR L S,JOHANSEN L,ENCK W,et al.Password exhaus-tion:Predicting the end of password usefulness[C]//Information Systems Security:Second International Conference(ICISS 2006).Kolkata,India,Springer Berlin Heidelberg,2006:37-55.
[64]UR B,BEES J,SEGRETI S M,et al.Do users' perceptions of password security match reality?[C]//Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems.2016:3748-3760.
[65]DENNING T,BOWERS K,VAN DIJK M,et al.Exploring implicit memory for painless password recovery[C]//Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.2011:2615-2618.
[66]UMEJIAKU A P,DHAKAL P,SHENG V S.Balancing Password Security and User Convenience:Exploring the Potential of Prompt Models for Password Generation[J].Electronics,2023,12(10):2159.
[67]SHUKLA V,MISHRA A,AGARWAL S.A new one time password generation method for financial transactions with randomness analysis[C]//Innovations in Electrical and Electronic Engineering(ICEEE 2020).Springer Singapore,2021:713-723.
[68]SHAY R,KOMANDURI S,DURITY A L,et al.Designingpassword policies for strength and usability[J].ACM Transactions on Information and System Security(TISSEC),2016,18(4):1-34.
[69]BHANA B,FLOWERDAY S V.Usability of the login authentication process:passphrases and passwords[J].Information & Computer Security,2022,30(2):280-305.
[70]FORGET A,CHIASSON S,BIDDLE R.Choose your own authentication[C]//Proceedings of the 2015 New Security Paradigms Workshop.2015:1-15.
[71]ONSORODI A H H,KORHAN O.Application of a genetic algorithm to the keyboard layout problem[J].PloS One,2020,15(1):e0226611.
[72]SCHWEITZER D,BOLENG J,HUGHES C,et al.Visualizing keyboard pattern passwords[J].Information Visualization,2011,10(2):127-133.
[73]SANDNES F E,AUBERT A.Bimanual text entry using gamecontrollers:relying on users' spatial familiarity with QWERTY[J].Interacting with Computers,2007,19(2):140-150.
[74]YE B,GUO Y,ZHANG L,et al.An empirical study of mnemo-nic password creation tips[J].Computers & Security,2019,85:41-50.
[75]SHELTON A L,MCNAMARA T P.Systems of spatial refe-rence in human memory[J].Cognitive Psychology,2001,43(4):274-310.
[76]GUO Y,ZHANG Z,GUO Y.Optiwords:A new password policy for creating memorable and strong passwords[J].Computers & Security,2019,85:423-435.
[77]HOCKLEY W E.The picture superiority effect in associativerecognition[J].Memory & Cognition,2008,36(7):1351-1359.
[78]UELLENBECK S,DÜRMUTH M,WOLF C,et al.Quantifying the security of graphical passwords:The case of android unlock patterns[C]//Proceedings of the 2013 ACM SIGSAC Confe-rence on Computer & Communication Security.2013:161-172.
[79]SONG J,WANG D,YUN Z,et al.Alphapwd:A password ge-neration strategy based on mnemonic shape[J].IEEE Access,2019,7:119052-119059.
[80]FERGUSON D,DUNCAN J.Keyboard design and operatingposture[J].Ergonomics,1974,17(6):731-744.
[81]LYU S,YAO Q,SONG J.AvoidPwd:A mnemonic password generation strategy based on keyboard transformation[J].China Communications,2022,19(10):92-101.
[82]CHOU H C,LEE H C,HSUEHC W,et al.Password cracking based on special keyboard patterns[J].International Journal of Innovative Computing,Information and Control,2012,8(1):387-402.
[83]KOMANDURIS,SHAY R,CRANOR L F,et al.Telepath-words:preventing weak passwords by reading user's minds[C]//Proceedings of the 23rd USENIX Conference on Security Symposium(SEC'14).2014:591-606.
[84]WEISS R,DE LUCA A.PassShapes:utilizing stroke based authentication to increase password memorability[C]//Procee-dings of the 5th Nordic Conference on Human-computer Interaction:Building Bridges.2008:383-392.
[85]FRAUNE M R,JUANG K A,GREENSTEIN J S,et al.Employing user-created pictures to enhance the recall of system-gene-rated mnemonic phrases and the security of passwords[C]//Proceedings of the Human Factors and Ergonomics Society Annual Meeting.Sage CA:Los Angeles,CA:SAGE Publications,2013,57(1):419-423.
[86]BISHOP M.Password management[C]//COMPCON Spring'91Digest of Papers.IEEE,1991:167-169.
[87]HUH J H,OH S,KIM H,et al.Surpass:System-initiated user-replaceable passwords[C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.2015:170-181.
[88]MCLENNAN C T,MANNING P,TUFT S E.An evaluation of the Game Changer Password System:A new approach to password security[J].International Journal of Human-Computer Studies,2017,100:1-17.
[89]BRUMENB.Security analysis of game changer password system[J].International Journal of Human-Computer Studies,2019,126:44-52.
[90]ZIMMERMANN V,GERBER N.The password is dead,longlive the password-A laboratory study on user perceptions of authentication schemes[J].International Journal of Human-Computer Studies,2020,133:26-44.
[91]WANG P,WANG D,HUANG X Y.Advances in Password Security[J].Journal of Computer Research and Development,2016,53(10):2173-2188.
[92]WOODS N,SIPONEN M.How memory anxiety can influence password security behavior[J].Computers & Security,2024,137:103589.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

Comments

Recommended 0

No Suggested Reading articles found!

Overview of Mnemonic Password Creation Policies

PDF (PC)

Abstract

Cite this article

share this article

References

Related Articles 15

Metrics

Comments

Recommended 0

[1]	CHEN Liang, SUN Cong. Deep-learning Based DKOM Attack Detection for Linux System [J]. Computer Science, 2024, 51(9): 383-392.
[2]	WANG Xuxian, HUANG Jinhua, ZHAI You, LI Chu’nan, WANG Yu, ZHANG Yupeng, ZHANG Yipeng, YANG Liqun, LI Zhoujun. Survey of Detection Techniques for Domain Generation Algorithm [J]. Computer Science, 2024, 51(8): 371-378.
[3]	ZHENG Haibin, LIU Xinran, CHEN Jinyin, WANG Pengcheng, WANG Xuanye. Integrity Interference Attack and Defense Methods for Network Traffic Measurement [J]. Computer Science, 2024, 51(8): 420-428.
[4]	CHENG Andong, XIE Sijiang, LIU Ang, FENG Yimeng. Efficient Quantum-secure Byzantine Fault Tolerance Consensus Mechanism Based on HotStuff [J]. Computer Science, 2024, 51(8): 429-439.
[5]	WANG Zhen, ZHOU Chao, FAN Yongwen, Shi Pengfei. Overview of Unmanned Aerial Vehicle Systems Security [J]. Computer Science, 2024, 51(6A): 230800086-6.
[6]	TIAN Hao, WANG Chao. Design and Implementation of SNMPv3 Security Mechanism Based on National Security SM3 andSM4 Algorithms [J]. Computer Science, 2024, 51(6A): 230500209-7.
[7]	XUE Jianbin, DOU Jun, WANG Tao, MA Yuling. Scheme for Maximizing Secure Communication Capacity in UAV-assisted Edge Computing Networks [J]. Computer Science, 2024, 51(6A): 230800032-7.
[8]	LI Fei, CHEN Tong. Survivability Evaluation of National Defense Engineering Power System Grid Considering MultipleAttack Strategies [J]. Computer Science, 2024, 51(6A): 230700171-8.
[9]	LIU Chunling, QI Xuyan, TANG Yonghe, SUN Xuekai, LI Qinghao, ZHANG Yu. Summary of Token-based Source Code Clone Detection Techniques [J]. Computer Science, 2024, 51(6): 12-22.
[10]	JIA Fan, YIN Xiaokang, GAI Xianzhe, CAI Ruijie, LIU Shengli. Function-call Instruction Characteristic Analysis Based Instruction Set Architecture Recognization Method for Firmwares [J]. Computer Science, 2024, 51(6): 423-433.
[11]	HUO Xingxing, HU Ruimin, LI Yixin. Early-stage Fatigue Detection Based on Frequency Domain Information of Eye Features [J]. Computer Science, 2024, 51(6): 247-255.
[12]	LI Panpan, WU Hao, LIU Jiajia, DUAN Li, LU Yunlong. Overview of Security Technologies and Strategies for Intelligent Railway 5G [J]. Computer Science, 2024, 51(5): 1-11.
[13]	WANG Gengrun. Survey of Research and Application of User Identity Linkage Technology in Cyberspace [J]. Computer Science, 2024, 51(5): 12-20.
[14]	PANG Yuxiang, CHEN Zemao. Security Scheme of UAV Flight Control Based on Attribute Access Control Policy [J]. Computer Science, 2024, 51(4): 366-372.
[15]	SHANG Yuling, LI Peng, ZHU Feng, WANG Ruchuan. Overview of IoT Traffic Attack Detection Technology Based on Fuzzy Logic [J]. Computer Science, 2024, 51(3): 3-13.