October 22, 2014
Speaker: Chris Bonk, UOIT Master of Science student
Title: StoryPass: A System for Secure and Memorable Passphrases
Abstract: StoryPass is a system for the study of secure and memorable passphrases that implements a new set of creation guidelines. We ran a 39-day user study at UOIT with 39 users to study the use of passphrases in StoryPass. We built a custom algorithm to estimate the security of the passphrases gathered using n-grams from the Corpus of Contemporary American English. We were able to successfully estimate the security provided by 64 per cent of the passphrases against an offline guessing attack; those that were not given an estimate might be even more secure as they contained at least one unusual word which was not found in COCA. In terms of usability, we allow users to login with imperfect passphrases, an error tolerance of one incorrect character for every eight correct characters during login attempts ensured memory-based errors were the only cause of login failures. Memory-based errors were most often caused by using phrases with improper syntactic structure, improper grammar or easily reordered phrases. Our results suggest that using unusual words and sentence-like structure are key to making secure and memorable passphrases. Sixty-seven per cent of participants agreed they would use passphrases for some of their accounts and 71 per cent agreed their passphrase is more secure than a traditional password. The general consensus was that StoryPass passphrases are too secure for all accounts, but a good fit for high-security situations such as online banking or password managers.