Cryptography Reference
In-Depth Information
To help thwart such
dictionary attacks
, systems typically implement rules
that coerce users in selecting passwords more evenly spread across the total
password space of the scheme
—
for example, mixing letters and typo-
graphical characters, using passphrases, or enforcing frequent replace-
ment
.
36
However, users often respond to such measures with even worse
security strategies, for example, writing down their passwords under their
mouse pads. As Smith quips, classical password selection rules imply that
the best passwords “must be impossible to remember and never written
down.”
37
One interesting response to this seemingly intractable conundrum has
been to take advantage of the dual linguistic and graphical dimensions
of textual passwords.
38
That is, passwords are memorized, but also input
into computers as
written
signs. This approach leads to possible strategies
for enhancing the memorability of passwords by coupling together visual
and linguistic mnemonic techniques. Such approaches are interesting on
two levels: on the one hand, they might effectively increase the
memorable
password space without additionally burdening the user's memory; on
the other hand, to measure this effectiveness, researchers must somehow
integrate into their mathematical models the empirical insights provided
by experimental psychologists working in the field of memory and
cognition.
Input Orderings
A first strategy stems from the realization that computer software and input
devices impose a specific temporal order on the way users enter their pass-
words: first letter first, second letter second . . . last letter last. Yet using a
graphical input device, it is possible to
decouple
the elements of the input
from their temporal order. That is, the various characters of a password can
be entered according to different ordering strategies
—
for example, by start-
ing with the last character, from the outside in, or any other input strategy
(see figure 7.2).
This decoupling immediately leads to a sizable increase of the password
space: for a password of
k
characters where
k
= 8, the new password space
exceeds the conventional one by a factor of
k! =
40320. Obviously, not all
ordering strategies are equally memorable, and it is not clear how one
might quantify the increase in the memory password space other than by
empirical trials. Nevertheless, the scheme provides a first entry point into
