Enhancing Authentication: Towards Password Memorability Meters, and Leveraging Implicit Learning for System-Assigned Passwords

增强身份验证：走向密码记忆仪，并利用系统分配密码的隐式学习

• 批准号: RGPIN-2018-05919
• 负责人: VargasMartin, Miguel
• 金额: $ 2.04万
• 依托单位: University of Ontario Institute of Technology
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2018
• 资助国家: 加拿大
• 起止时间: 2018-01-01 至 2019-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=667628
• 关键词: Enhancing; Authentication; Towards; Password; Memorability

Text passwords remain as one of the most widespread authentication mechanisms in computer systems. The strength of a password is thus of paramount importance to security. As such, a number of password strengthening techniques have been proposed in the literature and deployed in the real world. Nevertheless, there exists a trade-off between password strength and memorability, and while password strength meters are common, according to the related literature and to the best of my knowledge, no reliable memorability meter has been published or deployed. The proposed research program will endeavour to analyze memorability of system-assigned passwords at the time of creation, by studying the brain waves generated while seeing a password for the first time. This work will lead to a password meter that can help users to choose a system-assigned password that has higher probability of being remembered, by predicting its recall chances at the time of assigning the password to a user.******So far, together with my team of students, I have been able to establish that passwords can be classified based on the electroencephalogram (EEG) signals they elicit. This was found through a series of experiments that used consumer-grade brain-computer interface (BCI) devices to compare EEG differences between random and common passwords (i.e., most common passwords as exposed by popular password leaks). In light of these experiments it became evident that a password meter could be built by measuring short- and long-term password recall. For example, when the user is given a choice of two system-assigned passwords, there are statistically significant correlations between the EEG signals and the chosen password, recalling the password from short- and long-term memory, and the number of attempts to remember the password correctly.******To address password usability from a different angle, the proposed research program will investigate authentication techniques that leverage implicit learning phenomena from the psychology field. Some of the most important advantages of implicitly learnt passwords are that the user is not imposed with a conscious cognitive burden, can't retrieve them at will, and therefore to a certain extent implicitly learnt passwords are coercion- and insider-attack resistant. During the past years, my research team and I have designed and tested an authentication technique based on two branches of implicit learning, namely, contextual cueing and semantic priming, which have shown promise not only in terms of accuracy but in training time compared to the most cited recent related works available in the literature. The proposed research program will continue this line of research to improve accuracy as well as training and authentication time.******Over 10 highly qualified personnel will be trained in authentication with strong theoretical foundations, benefitting the research community and Canadians in general.

文本密码仍然是计算机系统中最广泛的身份验证机制之一。因此，密码的强度对安全性至关重要。因此，在文献中已经提出了许多密码加强技术，并在真实的世界中部署了这些技术。然而，存在密码强度和记忆力之间的权衡，而密码强度计是常见的，根据相关文献和尽我所知，没有可靠的记忆力计已公布或部署。拟议的研究计划将通过研究第一次看到密码时产生的脑电波，努力分析系统分配的密码在创建时的可记忆性。这项工作将导致一个密码计量器，它可以帮助用户选择一个系统分配的密码，有更高的被记住的概率，通过预测它的回忆机会时，分配给用户的密码。到目前为止，我和我的学生团队已经能够确定密码可以根据它们引起的脑电图（EEG）信号进行分类。这是通过一系列实验发现的，这些实验使用消费级脑机接口（BCI）设备来比较随机密码和普通密码之间的EEG差异（即，最常见的密码，如由流行的密码泄露所暴露的）。根据这些实验，很明显可以通过测量短期和长期密码回忆来建立密码计量器。例如，当用户可以选择两个系统分配的密码时，EEG信号和所选密码之间存在统计学上的显著相关性，从短期和长期记忆中回忆密码，以及正确记住密码的尝试次数。为了从不同的角度解决密码的可用性问题，拟议的研究计划将研究利用心理学领域内隐学习现象的认证技术。隐式学习密码的一些最重要的优点是，用户不会被强加有意识的认知负担，不能随意检索它们，因此在一定程度上隐式学习密码是强制和内部攻击抵抗的。在过去的几年中，我和我的研究团队设计并测试了一种基于内隐学习的两个分支的认证技术，即上下文提示和语义启动，与文献中引用最多的最近相关作品相比，这不仅在准确性方面而且在训练时间方面都表现出了希望。拟议的研究计划将继续这一研究路线，以提高准确性以及培训和认证时间。超过10名高素质的人员将接受具有坚实理论基础的认证培训，使研究界和加拿大人受益。