Header menu link for other important links
X
Trenchcoat: Human-computable hashing algorithms for password generation
R.H. Rooparaghunath, T.S. Harikrishnan,
Published in Springer Science and Business Media Deutschland GmbH
2020
Volume: 12579 LNCS
   
Pages: 167 - 187
Abstract
The average user has between 90–130 online accounts [17], and around 3 × 1011 passwords are in use this year [10]. Most people are terrible at remembering “random” passwords, so they reuse or create similar passwords using a combination of predictable words, numbers, and symbols [16]. Previous password-generation or management protocols have imposed so large a cognitive load that users have abandoned them in favor of insecure yet simpler methods (e.g., writing them down or reusing minor variants). We describe a range of candidate human-computable “hash” functions suitable for use as password generators - as long as the human (with minimal education assumptions) keeps a single, easily-memorizable ‘master’ secret - and rate them by various metrics, including effective security. These functions hash master-secrets with user accounts to produce sub-secrets that can be used as passwords; FR(s, w) ⟶ y, which takes a website w and produces a password y, parameterized by the master secret s, which may or may not be a string. We exploit the unique configuration R of each user’s associative and implicit memory (detailed in Sect. 2) to ensure that sources of randomness unique to each user are present in each F. An adversary cannot compute or verify FR efficiently since R is unique to each individual; in that sense, our hash function is similar to a physically unclonable function [37]. For the algorithms we propose, the user need only complete primitive operations such as addition, spatial navigation or searching. Critically, most of our methods are also accessible to neurodiverse, or cognitively or physically differently-abled persons. Given the nature of these functions, it is not possible to directly use traditional cryptographic methods for analysis; so, we use an array of approaches, mainly related to entropy, to illustrate and analyze the same. We draw on cognitive, neuroscientific, and cryptographic research to use these functions as improved password management and creation systems, and present results from a survey (n = 134 individuals, with each candidate performing 2 schemes) investigating real-world usage of these methods and how people currently come up with their passwords. We also survey 400 websites to collate current password advice. © Springer Nature Switzerland AG 2020.