Abstract

To improve manageability and strength of user-chosen passwords, we propose a multi-word password scheme called Myphrase. Contrary to the often-repeated but failed policy of banning common words as passwords, we encourage users to use words that are more personal to them—irrespective of the words being too common or esoteric. In Myphrase, a small dictionary is created from user-authored content such as sent emails and blogs. A master passphrase is constructed by randomly selecting words from the dictionary. We propose two variants as a trade-off between security and memorability; in random sequence, words are chosen uniformly across the dictionary, and in connected discourse, words are tagged using a part-of-speech engine and inserted appropriately into sentence templates. Words in the passphrase are expected to be easily recognizable to users and can be efficiently entered by leveraging the auto-suggest feature. Myphrase is designed to be compatible with both desktop and mobile platforms—a growing requirement for current authentication schemes. We create website-specific passwords from the master passphrase by salting the phrase with the site’s domain. To restrict offline attacks on the master passphrase from exposed site passwords, we require the passphrase to be of sufficient length (e.g., 6 words from a 1024-word dictionary, resulting in 60 bits of entropy in the random sequence variant). Entropy calculation for the connected discourse variant is less straightforward. We analyze Myphrase dictionaries and expected entropy of generated passphrases with two datasets: the Enron email corpus, and several popular books from Project Gutenberg. We also evaluate Myphrase using a recently proposed, slightly modified, framework of usability-deployability-security ratings, and seek feedback on our proof-of-concept prototypes available for both desktop and mobile platforms.