CrySP Speaker Series on Privacy

This speaker series is made possible by an anonymous charitable donation in memory of cypherpunks and privacy advocates Len Sassaman, Hugh Daniel, Hal Finney, and Caspar Bowden.

View the list of past and upcoming speakers

Teaching Users Random System-Assigned Passwords

Matthew Wright, University of Texas at Arlington

[Download (MP4)] [View on Youtube]

December 2, 2015 2:00pm, in DC 1302


Today, users are being asked to perform a complex and difficult task—composing a secure and memorable password—with incomplete and sometimes incorrect information about what makes passwords secure, what makes them memorable, and how to memorize this specially crafted information. And the results aren't pretty: many user-selected passwords are easy to guess, despite strength requirements that mostly just make passwords harder to remember, and many people reuse passwords even for important accounts. We propose the use of random system-assigned passwords, which provide guarantees on guessing resistance. Unfortunately, such passwords are hard to remember. In this talk, I will discuss two approaches that we have explored for making them more memorable: CuedR and the Memory Palace. In CuedR, we provide the user with graphical, verbal, and spatial cues at both registration and login to recognize a set of system-assigned keywords. The login success rate after one week in one of our studies (N=37) was 100%. The Memory Palace is a technique used by "memory champions" in which the user links a sequence of objects with a sequence of rooms in a house. We generate and show users a Memory Palace video that teaches users their random password. The login success rate was somewhat lower than for CuedR (86%), but the technique offers fast login times and shows promise for recall of 56-bit password strings.


Matthew Wright is an associate professor at the University of Texas at Arlington. He graduated with his Ph.D from the Department of Computer Science at the University of Massachusetts in May 2005, where he earned his M.S. in 2002. His dissertation work addresses the robustness of anonymous communications. His other interests include usable authentication systems and secure and sybil-resistant P2P systems. Previously, he earned his B.S. degree in Computer Science at Harvey Mudd College. He is a recipient of the NSF CAREER Award and the Outstanding Paper Award at NDSS 2002.