Skip to main content
SpringerLink
Log in

Enhanced Tacit Secrets: System-assigned passwords you can’t write down, but don’t need to

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We explore the feasibility of Tacit Secrets: system-assigned passwords that you can remember, but cannot write down or otherwise communicate. We design an approach to creating Tacit Secrets based on contextual cueing, an implicit learning method previously studied in the cognitive psychology literature. Our feasibility study indicates that our approach has strong security properties: resistance to brute-force attacks, online attacks, phishing attacks, some coercion attacks, and targeted impersonation attacks. It also offers protection against leaks from other verifiers as the secrets are system-assigned. Our approach also has some interesting usability properties, a high login success rate, and low false positive rates. We explore enhancements to our approach and find that incorporating eye-tracking data offers substantial improvements. We also explore the trade-offs of different configurations of our design and provide insight into valuable directions for future work.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: NDSS (2014)

  2. Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium, pp. 175–191 (2016)

  3. Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26 (2014)

  4. Hunt. T.: Have I Been Pwned? https://haveibeenpwned.com/. Accessed 26 May 2017

  5. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: ACM CCS, pp. 1242–1254 (2016)

  6. Greenberg, A.: Hack brief: password manager lastpass got breached hard. https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/. Accessed 30 May 2017 (2015)

  7. Siegrist, J.: Security update for the lastpass extension. https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/. Accessed 30 May 2017 (2017)

  8. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. Mag. 2(5), 25–31 (2004)

    Article  Google Scholar 

  9. Merrill, E.C., Conners, F.A., Yang, Y., Weathington, D.: The acquisition of contextual cueing effects by persons with and without intellectual disability. Res. Dev. Disabil. 35(10), 2341–2351 (2014)

    Article  Google Scholar 

  10. Howard Jr., J.H., Howard, D.V., Japikse, K.C., Eden, G.F.: Dyslexics are impaired on implicit higher-order sequence learning, but not on implicit spatial context learning. Neuropsychologia 44(7), 1131–1144 (2006)

    Article  Google Scholar 

  11. Jimnez-Fernández, G., Vaquero, J., Jimnez, L., Defior, S.: Dyslexic children show deficits in implicit sequence learning, but not in explicit sequence learning or contextual cueing. Ann. Dyslexia 61(1), 85–110 (2011)

    Article  Google Scholar 

  12. Bonneau, J., Schechter, S.: Towards reliable storage of 56-bit secrets in human memory. In: USENIX Security Symposium, pp. 607–623 (2014)

  13. Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Symposium on Usable Privacy and Security (SOUPS), pp. 7:1–7:20 (2012)

  14. Jeyaraman, S., Topkara, U.: Have the cake and eat it too-infusing usability into text-password based authentication systems. In: Annual Computer Security Applications Conference (ACSAC), pp. 473–482 (2005)

  15. Al-Ameen, M.N., Wright, M., Scielzo, S.: Towards making random passwords memorable: leveraging users’ cognitive ability through multiple cues. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2315–2324 (2015)

  16. Denning, T., Bowers, K., van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2615–2618 (2011)

  17. Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: 21st USENIX Security Symposium, pp. 129–141. Bellevue, WA (2012)

  18. Sanchez, D.J., Gobel, E.W., Reber, P.J.: Performing the unexplainable: implicit task performance reveals individually reliable sequence learning without explicit knowledge. Psychon. Bull. Rev. 17(6), 790–796 (2010)

    Article  Google Scholar 

  19. Castelluccia, C., Duermuth, M., Golla, M., Deniz, F.: Towards implicit visual memory-based authentication. In: Network and Distributed System Security Symposium (NDSS). ISOC, San Diego (2017)

  20. Clark, J., Hengartner, U.: Panic passwords: authenticating under duress. In: Hot Topics in Security (HOTSEC), pp. 8:1–8:6 (2008)

  21. Cao, K., Jain, A.K.: Hacking mobile phones using 2D printed fingerprints (2016). http://biometrics.cse.msu.edu/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf. Accessed 30 May 2017

  22. Zetter, K.: Reverse-engineered irises look so real, they fool eye-scanners (2012). https://www.wired.com/2012/07/reverse-engineering-iris-scans/. Accessed 6 Apr 2017

  23. Xu, Y., Price, T., Frahm, J.-M., Monrose, F.: Virtual U: defeating face liveness detection by building virtual models from your public photos. In: USENIX Security Symposium, pp. 497–512 (2016)

  24. Babu, B., Venkataram, P.: Transaction based authentication scheme for mobile communication: a cognitive agent based approach. In: Parallel and Distributed Processing Symposium, pp. 1–8 (2007)

  25. De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 987–996 (2012)

  26. Gupta, P., Ding, X., Gao, D.: Coercion resistance in authentication responsibility shifting. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 97–98 (2012)

  27. Gupta, P., Gao, D.: Fighting coercion attacks in key generation using skin conductance. In: USENIX Security Symposium, pp. 469–484 (2010)

  28. Reber, A., Winter, B.: Implicit learning and tacit knowledge. J. Exp. Psychol. Gen. 118, 219–235 (1989)

    Article  Google Scholar 

  29. Stadler, M.A., Frensch, P.A.: Handbook of Implicit Learning. Sage, Thousand Oaks (1998)

    Google Scholar 

  30. Lleras, A., von Mühlenen, A.: Spatial context and top-down strategies in visual search. Spat. Vis. 17(4–5), 465–482 (2004)

    Google Scholar 

  31. Ziori, E., Dienes, Z.: The time course of implicit and explicit concept learning. Conscious. Cogn. 21(1), 204–216 (2012)

    Article  Google Scholar 

  32. Chun, M.M., Jiang, Y.: Implicit, long-term spatial contextual memory. J. Exp. Psychol. Learn. Mem. Cogn. 29(2), 224–234 (2003)

    Article  Google Scholar 

  33. Goujon, A., Fagot, J.: Learning of spatial statistics in nonhuman primates: contextual cueing in baboons (papio). Behav. Brain Res. 247, 101–109 (2013)

    Article  Google Scholar 

  34. Chun, M.M., Jiang, Y.: Contextual cueing: implicit learning and memory of visual context guides spatial attention. Cogn. Psychol. 36(1), 28–71 (1998)

    Article  MathSciNet  Google Scholar 

  35. Smyth, A.C., Shanks, D.R.: Awareness in contextual cuing with extended and concurrent explicit tests. Mem. Cogn. 36(2), 403–415 (2008)

    Article  Google Scholar 

  36. Vaidya, C.J., Huger, M., Howard, D.V., Howard, J.H.: Developmental differences in implicit learning of spatial context. Neuropsychology 21(4), 497–506 (2007)

    Article  Google Scholar 

  37. Masters, R.S.: Knowledge, knerves and know-how: the role of explicit versus implicit knowledge in the breakdown of a complex motor skill under pressure. Br. J. Psychol. 83(3), 343–358 (1992)

    Article  Google Scholar 

  38. Hardy, L., Mullen, R., Jones, G.: Knowledge and conscious control of motor actions under stress. Br. J. Psychol. 87(4), 621–636 (1996)

    Article  Google Scholar 

  39. Palmer, L.: The relationship between stress, fatigue, and cognitive functioning. Coll. Stud. J. 47(2), 312–325 (2013)

    Google Scholar 

  40. Wiers, R.W., Stacy, A.W., Ames, S.L., Noll, J.A., Sayette, M.A., Zack, M., Krank, M.: Implicit and explicit alcohol-related cognitions. Alcohol. Clin. Exp. Res. 26(1), 129–137 (2002)

    Article  Google Scholar 

  41. Zhao, G., Liu, Q., Jiao, J., Zhou, P., Li, H., Sun, H-j: Dual-state modulation of the contextual cueing effect: evidence from eye movement recordings. J. Vis. 12, 11 (2012)

    Article  Google Scholar 

  42. Hang, A., Luca, A.D., Smith, M., Richter, M., Hussmann, H.: Where have you been? using location-based security questions for fallback authentication. In: Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, pp. 169–183 (2015)

  43. Geyer, T., Zehetleitner, M., Müller, H.J.: Contextual cueing of pop-out visual search: when context guides the deployment of attention. J. Vis. 10, 20 (2010)

  44. Brockmole, J.R., Henderson, J.M.: Using real-world scenes as contextual cues for search. Vis. Cogn. 13(1), 99–108 (2006)

    Article  Google Scholar 

  45. Goujon, A., Didierjean, A., Poulet, S.: The emergence of explicit knowledge from implicit learning. Mem. Cogn. 42(2), 225–236 (2014)

    Article  Google Scholar 

  46. Brooks, D.I., Rasmussen, I.P., Hollingworth, A.: The nesting of search contexts within natural scenes: evidence from contextual cuing. J. Exp. Psychol. Hum. Percept. Perform. 36(6), 1406–18 (2010)

    Article  Google Scholar 

  47. Tseng, Y.-C., Lleras, A.: Rewarding context accelerates implicit guidance in visual search. Atten. Percept. Psychophys. 75(2), 287–298 (2013)

    Article  Google Scholar 

  48. Florêncio, D., Herley, C., van Oorschot, P.C.: An administrator’s guide to internet password research. In: 28th Large Installation System Administration Conference (LISA14), pp. 44–61 (2014)

  49. Luethi, M., Meier, B., Sandi, C.: Stress effects on working memory, explicit memory, and implicit memory for neutral and emotional stimuli in healthy men. Front. Behav. Neurosci. 2, 5 (2009)

    Google Scholar 

  50. Newman, D.J.: The double dixie cup problem. Am. Math. Mon. 67(1), 58–61 (1960)

    Article  MathSciNet  MATH  Google Scholar 

  51. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012)

  52. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567 (May 2012)

  53. Zellin, M., von Mühlenen, A., Müller, H., Conci, M.: Long-term adaptation to change in implicit contextual learning. Psychon. Bull. Rev. 21(4), 1073–1079 (2014)

    Google Scholar 

Download references

Acknowledgements

We thank the participants of our feasibility study. This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).

Author information

Authors and Affiliations

  1. University of Ontario Institute of Technology, Oshawa, Canada

    Zeinab Joudaki, Julie Thorpe & Miguel Vargas Martin

Authors
  1. Zeinab Joudaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julie Thorpe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Miguel Vargas Martin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zeinab Joudaki.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Joudaki, Z., Thorpe, J. & Vargas Martin, M. Enhanced Tacit Secrets: System-assigned passwords you can’t write down, but don’t need to. Int. J. Inf. Secur. 18, 239–255 (2019). https://doi.org/10.1007/s10207-018-0408-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0408-2

Keywords

Search

Navigation