Towards reliable storage of 56-bit secrets in human memory

Joseph Bonneau, Stuart Schechter

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".

Original languageEnglish (US)
Title of host publicationProceedings of the 23rd USENIX Security Symposium
PublisherUSENIX Association
Pages607-623
Number of pages17
ISBN (Electronic)9781931971157
StatePublished - Jan 1 2014
Event23rd USENIX Security Symposium - San Diego, United States
Duration: Aug 20 2014Aug 22 2014

Publication series

NameProceedings of the 23rd USENIX Security Symposium

Conference

Conference23rd USENIX Security Symposium
CountryUnited States
CitySan Diego
Period8/20/148/22/14

Fingerprint

Data storage equipment
Websites
Brain

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Bonneau, J., & Schechter, S. (2014). Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium (pp. 607-623). (Proceedings of the 23rd USENIX Security Symposium). USENIX Association.

Towards reliable storage of 56-bit secrets in human memory. / Bonneau, Joseph; Schechter, Stuart.

Proceedings of the 23rd USENIX Security Symposium. USENIX Association, 2014. p. 607-623 (Proceedings of the 23rd USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J & Schechter, S 2014, Towards reliable storage of 56-bit secrets in human memory. in Proceedings of the 23rd USENIX Security Symposium. Proceedings of the 23rd USENIX Security Symposium, USENIX Association, pp. 607-623, 23rd USENIX Security Symposium, San Diego, United States, 8/20/14.
Bonneau J, Schechter S. Towards reliable storage of 56-bit secrets in human memory. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association. 2014. p. 607-623. (Proceedings of the 23rd USENIX Security Symposium).
Bonneau, Joseph ; Schechter, Stuart. / Towards reliable storage of 56-bit secrets in human memory. Proceedings of the 23rd USENIX Security Symposium. USENIX Association, 2014. pp. 607-623 (Proceedings of the 23rd USENIX Security Symposium).
@inproceedings{90f47f4d712947528d06fbd250f69ec6,
title = "Towards reliable storage of 56-bit secrets in human memory",
abstract = "Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94{\%} of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88{\%} were able to recall their codes exactly when asked at least three days later, with only 21{\%} reporting having written their secret down. As one participant wrote with surprise, {"}the words are branded into my brain{"}.",
author = "Joseph Bonneau and Stuart Schechter",
year = "2014",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 23rd USENIX Security Symposium",
publisher = "USENIX Association",
pages = "607--623",
booktitle = "Proceedings of the 23rd USENIX Security Symposium",

}

TY - GEN

T1 - Towards reliable storage of 56-bit secrets in human memory

AU - Bonneau, Joseph

AU - Schechter, Stuart

PY - 2014/1/1

Y1 - 2014/1/1

N2 - Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".

AB - Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which participants could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, "the words are branded into my brain".

UR - http://www.scopus.com/inward/record.url?scp=85060180093&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85060180093&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85060180093

T3 - Proceedings of the 23rd USENIX Security Symposium

SP - 607

EP - 623

BT - Proceedings of the 23rd USENIX Security Symposium

PB - USENIX Association

ER -