Abstract
We explore the feasibility of Tacit Secrets: system-assigned passwords that you can remember, but cannot write down or otherwise communicate. We design an approach to creating Tacit Secrets based on contextual cueing, an implicit learning method previously studied in the cognitive psychology literature. Our feasibility study indicates that our approach has strong security properties: resistance to brute-force attacks, online attacks, phishing attacks, some coercion attacks, and targeted impersonation attacks. It also offers protection against leaks from other verifiers as the secrets are system-assigned. Our approach also has some interesting usability properties, a high login success rate, and low false positive rates. We explore enhancements to our approach and find that incorporating eye-tracking data offers substantial improvements. We also explore the trade-offs of different configurations of our design and provide insight into valuable directions for future work.
Similar content being viewed by others
References
Veras, R., Collins, C., Thorpe, J.: On semantic patterns of passwords and their security impact. In: NDSS (2014)
Melicher, W., Ur, B., Segreti, S.M., Komanduri, S., Bauer, L., Christin, N., Cranor, L.F.: Fast, lean, and accurate: modeling password guessability using neural networks. In: 25th USENIX Security Symposium, pp. 175–191 (2016)
Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26 (2014)
Hunt. T.: Have I Been Pwned? https://haveibeenpwned.com/. Accessed 26 May 2017
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: An underestimated threat. In: ACM CCS, pp. 1242–1254 (2016)
Greenberg, A.: Hack brief: password manager lastpass got breached hard. https://www.wired.com/2015/06/hack-brief-password-manager-lastpass-got-breached-hard/. Accessed 30 May 2017 (2015)
Siegrist, J.: Security update for the lastpass extension. https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/. Accessed 30 May 2017 (2017)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. Mag. 2(5), 25–31 (2004)
Merrill, E.C., Conners, F.A., Yang, Y., Weathington, D.: The acquisition of contextual cueing effects by persons with and without intellectual disability. Res. Dev. Disabil. 35(10), 2341–2351 (2014)
Howard Jr., J.H., Howard, D.V., Japikse, K.C., Eden, G.F.: Dyslexics are impaired on implicit higher-order sequence learning, but not on implicit spatial context learning. Neuropsychologia 44(7), 1131–1144 (2006)
Jimnez-Fernández, G., Vaquero, J., Jimnez, L., Defior, S.: Dyslexic children show deficits in implicit sequence learning, but not in explicit sequence learning or contextual cueing. Ann. Dyslexia 61(1), 85–110 (2011)
Bonneau, J., Schechter, S.: Towards reliable storage of 56-bit secrets in human memory. In: USENIX Security Symposium, pp. 607–623 (2014)
Shay, R., Kelley, P.G., Komanduri, S., Mazurek, M.L., Ur, B., Vidas, T., Bauer, L., Christin, N., Cranor, L.F.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Symposium on Usable Privacy and Security (SOUPS), pp. 7:1–7:20 (2012)
Jeyaraman, S., Topkara, U.: Have the cake and eat it too-infusing usability into text-password based authentication systems. In: Annual Computer Security Applications Conference (ACSAC), pp. 473–482 (2005)
Al-Ameen, M.N., Wright, M., Scielzo, S.: Towards making random passwords memorable: leveraging users’ cognitive ability through multiple cues. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2315–2324 (2015)
Denning, T., Bowers, K., van Dijk, M., Juels, A.: Exploring implicit memory for painless password recovery. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 2615–2618 (2011)
Bojinov, H., Sanchez, D., Reber, P., Boneh, D., Lincoln, P.: Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In: 21st USENIX Security Symposium, pp. 129–141. Bellevue, WA (2012)
Sanchez, D.J., Gobel, E.W., Reber, P.J.: Performing the unexplainable: implicit task performance reveals individually reliable sequence learning without explicit knowledge. Psychon. Bull. Rev. 17(6), 790–796 (2010)
Castelluccia, C., Duermuth, M., Golla, M., Deniz, F.: Towards implicit visual memory-based authentication. In: Network and Distributed System Security Symposium (NDSS). ISOC, San Diego (2017)
Clark, J., Hengartner, U.: Panic passwords: authenticating under duress. In: Hot Topics in Security (HOTSEC), pp. 8:1–8:6 (2008)
Cao, K., Jain, A.K.: Hacking mobile phones using 2D printed fingerprints (2016). http://biometrics.cse.msu.edu/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf. Accessed 30 May 2017
Zetter, K.: Reverse-engineered irises look so real, they fool eye-scanners (2012). https://www.wired.com/2012/07/reverse-engineering-iris-scans/. Accessed 6 Apr 2017
Xu, Y., Price, T., Frahm, J.-M., Monrose, F.: Virtual U: defeating face liveness detection by building virtual models from your public photos. In: USENIX Security Symposium, pp. 497–512 (2016)
Babu, B., Venkataram, P.: Transaction based authentication scheme for mobile communication: a cognitive agent based approach. In: Parallel and Distributed Processing Symposium, pp. 1–8 (2007)
De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 987–996 (2012)
Gupta, P., Ding, X., Gao, D.: Coercion resistance in authentication responsibility shifting. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 97–98 (2012)
Gupta, P., Gao, D.: Fighting coercion attacks in key generation using skin conductance. In: USENIX Security Symposium, pp. 469–484 (2010)
Reber, A., Winter, B.: Implicit learning and tacit knowledge. J. Exp. Psychol. Gen. 118, 219–235 (1989)
Stadler, M.A., Frensch, P.A.: Handbook of Implicit Learning. Sage, Thousand Oaks (1998)
Lleras, A., von Mühlenen, A.: Spatial context and top-down strategies in visual search. Spat. Vis. 17(4–5), 465–482 (2004)
Ziori, E., Dienes, Z.: The time course of implicit and explicit concept learning. Conscious. Cogn. 21(1), 204–216 (2012)
Chun, M.M., Jiang, Y.: Implicit, long-term spatial contextual memory. J. Exp. Psychol. Learn. Mem. Cogn. 29(2), 224–234 (2003)
Goujon, A., Fagot, J.: Learning of spatial statistics in nonhuman primates: contextual cueing in baboons (papio). Behav. Brain Res. 247, 101–109 (2013)
Chun, M.M., Jiang, Y.: Contextual cueing: implicit learning and memory of visual context guides spatial attention. Cogn. Psychol. 36(1), 28–71 (1998)
Smyth, A.C., Shanks, D.R.: Awareness in contextual cuing with extended and concurrent explicit tests. Mem. Cogn. 36(2), 403–415 (2008)
Vaidya, C.J., Huger, M., Howard, D.V., Howard, J.H.: Developmental differences in implicit learning of spatial context. Neuropsychology 21(4), 497–506 (2007)
Masters, R.S.: Knowledge, knerves and know-how: the role of explicit versus implicit knowledge in the breakdown of a complex motor skill under pressure. Br. J. Psychol. 83(3), 343–358 (1992)
Hardy, L., Mullen, R., Jones, G.: Knowledge and conscious control of motor actions under stress. Br. J. Psychol. 87(4), 621–636 (1996)
Palmer, L.: The relationship between stress, fatigue, and cognitive functioning. Coll. Stud. J. 47(2), 312–325 (2013)
Wiers, R.W., Stacy, A.W., Ames, S.L., Noll, J.A., Sayette, M.A., Zack, M., Krank, M.: Implicit and explicit alcohol-related cognitions. Alcohol. Clin. Exp. Res. 26(1), 129–137 (2002)
Zhao, G., Liu, Q., Jiao, J., Zhou, P., Li, H., Sun, H-j: Dual-state modulation of the contextual cueing effect: evidence from eye movement recordings. J. Vis. 12, 11 (2012)
Hang, A., Luca, A.D., Smith, M., Richter, M., Hussmann, H.: Where have you been? using location-based security questions for fallback authentication. In: Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, pp. 169–183 (2015)
Geyer, T., Zehetleitner, M., Müller, H.J.: Contextual cueing of pop-out visual search: when context guides the deployment of attention. J. Vis. 10, 20 (2010)
Brockmole, J.R., Henderson, J.M.: Using real-world scenes as contextual cues for search. Vis. Cogn. 13(1), 99–108 (2006)
Goujon, A., Didierjean, A., Poulet, S.: The emergence of explicit knowledge from implicit learning. Mem. Cogn. 42(2), 225–236 (2014)
Brooks, D.I., Rasmussen, I.P., Hollingworth, A.: The nesting of search contexts within natural scenes: evidence from contextual cuing. J. Exp. Psychol. Hum. Percept. Perform. 36(6), 1406–18 (2010)
Tseng, Y.-C., Lleras, A.: Rewarding context accelerates implicit guidance in visual search. Atten. Percept. Psychophys. 75(2), 287–298 (2013)
Florêncio, D., Herley, C., van Oorschot, P.C.: An administrator’s guide to internet password research. In: 28th Large Installation System Administration Conference (LISA14), pp. 44–61 (2014)
Luethi, M., Meier, B., Sandi, C.: Stress effects on working memory, explicit memory, and implicit memory for neutral and emotional stimuli in healthy men. Front. Behav. Neurosci. 2, 5 (2009)
Newman, D.J.: The double dixie cup problem. Am. Math. Mon. 67(1), 58–61 (1960)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567 (2012)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy, pp. 553–567 (May 2012)
Zellin, M., von Mühlenen, A., Müller, H., Conci, M.: Long-term adaptation to change in implicit contextual learning. Psychon. Bull. Rev. 21(4), 1073–1079 (2014)
Acknowledgements
We thank the participants of our feasibility study. This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Joudaki, Z., Thorpe, J. & Vargas Martin, M. Enhanced Tacit Secrets: System-assigned passwords you can’t write down, but don’t need to. Int. J. Inf. Secur. 18, 239–255 (2019). https://doi.org/10.1007/s10207-018-0408-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-018-0408-2