Eight characters. One capital letter. A special character. A different password for each website. Remembering a new password is almost as challenging as creating one. Yet strong passwords are vitally important to keeping online information secure.
This is why Georgia Tech researchers have developed a method for users to generate secure passwords in their head without having to memorize them.
Human computation is the study of algorithms people can complete in their head. Developing secure passwords through human computation was first presented in a 2015 paper by School of Computer Science (SCS) Professor Santosh Vempala and Carnegie Mellon Professor Manuel Blum. Their paper introduced humanly computable password strategies and gave theoretical measures and analysis of their security and human usability.
But Adam Kalai, principal researcher at Microsoft Research New England, and SCS Ph.D. student Samira Samadi wanted to find a way to test these strategies on real people and make them easy to learn.
“There was still a big gap between these ideas being out there and whether an internet user would actually be able to adopt them,” Samadi said. “My field is in theory and machine learning, and whatever I do, I want to see if there can be a real-world impact.”
Creating a password strategy
With practicality in mind, Samadi worked with Kalai and Vempala to design a guide to help users through the process. The website presents three strategies users can try to craft passwords:
Letter Code Strategy: mapping letters to letters
Three Word Strategy: using three random words
Counting strategy: permuting five consonants and five vowels to generate words, and mapping these 10 letters to the 10 digits
For example, with the letter code strategy, a user would map the first 20 letters of the alphabet to 20 random consonants. Only using the first 20 letters is easier for memorization. If a website uses a letter from the last six letters (say Zillow), users can employ the “wildcard” letter of their choice.
To memorize this letter map, Samadi suggests coming up with words that use those two letters matched on their map. If the letters were “a” and” q,” users might think “aquarium.” Generating words for each combo will help users remember their map and then be able to come up with passwords quickly as needed.
To generate a password for a website, users take the name of the website and match it to their map. With Apple.com, a user would match each letter of the word “apple” to the corresponding letter on their map. If a password required a number or special character, users can append a fixed random combo, such as B7!.
In the three-word strategy, the user selects and memorizes a sequence of three random words. These implicitly create a letter code. To find the code for a letter, locate its first occurrence in the three chosen words and find the next consonant, as seen in the diagram.
Samadi designed a website where anyone can learn this and the other two password strategies via step-by-step instructions and informative videos. Coming up with a password strategy can take some effort for first-time users, but once they memorize a table or three words, they can generate passwords in seconds.
The researchers created a study to evaluate the usability and effectiveness of the step-by-step instructions provided. For the letter-code strategy, it took users 21 minutes to learn the strategy and memorize a complete random letter code (13 minutes for the three-word strategy). The study found that after some practice, users could generate completely new passwords in under 20 seconds each.
The research was presented in the paper Usability of Human Computable Passwords, coauthored with Kalai and Vempala, at HCOMP 2018, the AAAI Conference on Human Computation and Crowdsourcing in Zurich from July 5 to 8.