Storing 56-bit keys in human memory
Joseph Bonneau, Center for Information Technology Policy
July 25, 2014 2:00pm, in DC 1304
The talk will challenge conventional wisdom that users cannot remember cryptographically-strong secrets. We tested the hypothesis that users can learn randomly-assigned 56-bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times over up to two weeks with a password of their choosing. After they entered their password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which they could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4-bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 s per login and a total of less than 12 minutes over an average of ten days. 87% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, “the words are branded into my brain.” This talk will overview the potential of training users to memorize strong random passwords for high-security applications.
Joseph Bonneau is a postdoctoral research fellow at the Center for Information Technology Policy (CITP), Princeton. His research focuses on applied cryptography and security, particularly password security and Bitcoin. He has worked at Google, Yahoo and Cryptography Research Inc. and holds a PhD from the University of Cambridge and BS and MS degrees from Stanford University.