Sauvik Das, Jason Hong, and Stuart Schechter

NDSS Workshop on Usable Security (USEC)

February 2016

People sometimes require very strong passwords for high-value accounts (e.g., master passwords for password managers and encryption keys), but often cannot create these strong passwords. Assigning them provably strong secrets is one solution, and prior work has shown that people can learn these assigned secrets through rote learning, though learning the secrets takes some time and they are quickly forgotten after two weeks of disuse. To improve upon the learning speed and long-term recall of strong, assigned secrets, we introduce, implement and evaluate a set of treatments, inspired by mnemonic devices and real-time feedback tutoring systems, to assist people in learning and remembering their assigned secrets. We encoded strong secrets as a set of six words randomly chosen from a corpus of 676 (∼56 bits of entropy). In a randomized between-subjects experiment, our story mnemonic, in which participants wrote two sentences linking their assigned secret words together in a narrative, performed best. Participants who used the story mnemonic required significantly fewer training sessions (7.5 versus 12 sessions) and had higher two-week recall when allowing for minor errors (84% vs. 65%) than the rote control from prior work. Additionally, 92% of those who could not recall their full secrets after two weeks were able to recover their secret once they saw their mnemonic hints with the secret words elided. In contrast, our other treatments did not perform as well – providing few, if any, notable improvements over the rote control. Finally, in an exit survey, a large majority of our participants reported that our treatments were quick, helpful and enjoyable.

experiment, mnemonics, passwords, security, usable security