StoryPass: a system and study for memorable secure passphrases.

Abstract

The goal of this thesis is to study the implementation of a passphrase system that implements new creation policies, called StoryPass. We are motivated to do this research as current text-based authentication methods, such as the password, fail to provide adequate security and usability. We call our system StoryPass because we were inspired by previous research which states that information created with stories can be more memorable. The problem we address is the lack of research on secure and usable passphrase creation guidelines. Our main contributions include a theoretical security analysis, a controlled 39-day user study and an estimate of the security that the resulting passphrases provide. Our security estimates are mainly performed through an algorithm that uses n-grams to estimate the number of attempts required to successfully guess passphrases created in StoryPass. We were able to successfully guess 64% of the passphrases collected during our 39-day user study, but with only a very large number of attempts. The passphrases which were not guessed generally contained slang and \non-words" which are words that are not found in standard dictionaries. Using a sentence-like structure in passphrases greatly improved usability. Memory errors were the leading cause of failed login; error correction techniques were used to prevent login failures from typographical errors. This thesis discusses how results from our user study can be used to help guide future passphrase creation policies.