Reinforcing System-Assigned Passphrases Through Implicit Learning


We propose and study the use of geographic hints to aid memorability of passphrase-style authentication secrets. Geographic hints are map locations that are selected by the user at the time of passphrase creation, and shown to the user as a hint at the time of passphrase login. We implement the GeoHints system and analyze how geographic hints impact the usability and security of passphrase-style secrets in a multi-session user study (n=38). The study involved testing for multiple passphrase interference—each participant was asked to recall 4 distinct passphrases. Our study indicates that while geographic hints showed promise for reducing memory interference, GeoHints (as implemented) does not produce a viable authentication system, as the login success rate was 25% 7–11 days after passphrase selection. We analyze the root causes of login errors, finding that most were due to inexact recall of free-form text input. This finding points towards opportunities to improve the system design, and we suggest improvements that we believe will lead to viable systems that employ geographic hints.

ACM SIGSAC Conference on Computer and Communications Security (CCS ’18)