What's Going On: Life-Experience Passwords

October 25, 2016

Jelena Mirkovic knows how to protect your password - and help you remember it at the same time.

At ISI's mid-October "What's Going On" research breakfast, Mirkovic described two of her Security REsEarch Lab (STEEL) group's projects, both aimed at making passwords stronger and easier to retain. While passwords are a naive approach to perform authentication, Stanford researchers found those negatives are outweighed by simplicity, portability and ease. Simply put, passwords are a necessary evil.

In her lively presentation to about 30 attendees, Mirkovic pointed to an inherent conflict. Memorable passwords can be easily guessed by attackers, and complex versions are hard to recall. The most pressing problems are low security, low memorability and frequent reuse across websites.

Mirkovic's team, which includes collaborators in USC's Institute for Creative Technologies and departments of computer science and linguistics, came up with a novel authentication approach: "life experience passwords" (LEPs) with challenge questions unique to each person's history. Such passwords don't require additional memorization and may not be guessable even by a close friend or spouse.

Weddings, births, travel and other events can be mined for memories like people, location, time and objects. Users essentially narrate the event, such as the city in which they were married, who baked the cake and what gifts they received. Input is turned into a series of challenge questions and answers that become user prompts at authentication time. Answers become the LEP. Mirkovic's team also deployed relaxed matching techniques to allow for replies that match the LEP in substance, even if not verbatim.

LEPs were tested in multiple human user trials approved by USC's Institutional Research Board (IRB). LEPs proved 10,000 to 100,000 times stronger than a random eight- character password. They were also two to three times more memorable than typical user-chosen passwords after a week, and six times more memorable after three months. LEPs were reused half as often as ordinary passwords, and only 3.5 percent were guessable by friends of a user, making LEPs a promising new authentication method.

Mirkovic also touched on her work surveying password re-use, conducted jointly with University of Illinois at Chicago faculty. Their USC IRB-approved human user study recruited 50 USC students and asked them to log into 12 chosen sites. Their passwords were transformed into strings that protected privacy but enabled reuse study. Among their discoveries: 85% of subjects reused passwords across high-value sites such as banks and low-value sites like retailers, and 90% didnâ&euro&tradet realize passwords can be cracked via dictionaries using automated tools.

All in all, said Mikovic, it's clear that password-based authentication needs deeper research to be both readily memorable and highly secure.

"What's Going On" research breakfasts will continue with Greg Ver Steeg, Pedro Szekely, Jose Luis Ambite and Craig Knoblock of Intelligent Systems; John Heidemann of Internet and Networked Systems; and Andrew Schmidt of Computational Sciences and Technology. Gully Burns is coordinating the series.