Remembering Passwords like a Pro – Interview with Jeremiah Blocki
Andrew Carmichael, guest blogger at HLF15: Jeremiah Blocki is a Post-Doctoral Fellow in the Computer Science Department at Carnegie Mellon University. Jeremiah completed his PhD at Carnegie Mellon University focusing on Usable and Secure Human Authentication. Jeremiah is continuing his research in this field, developing usable authentication systems for humans.
Andrew Carmichael: Tell us a little about yourself.
Jeremiah Blocki: I’m a computer scientist. I did my undergrad at Carnegie Mellon University where I worked with Manuel Blum. I loved working with him so much that I decided to stay at CMU and do my PhD. I was also advised by Anupam Datta.
AC: Did you cultivate your interest in this field from working with these researchers? Or did you have some interest in this topic before hand?
JB: When I was younger, I was drawn to topics around security and cryptography. When I was 15 years old I tried to implement a basic version of RSA cryptography because I was so fascinated by the idea of public key cryptography.
AC: What’s been the most valuable experience for you at the forum?
JB: I think having the opportunity to meet the laureates. In grad school, you read many papers and see these names. It’s wonderful to connect the names to the faces and hear a little bit about who they are and get to know them.
It was also an incredible opportunity to do a workshop on my research here. I look out into the audience and see a Fields Medal winner, a Turing Award winner… It’s intimidating, but it helped that I had the opportunity to work with Manuel. My experience with him is that he is so friendly and personable that even if you come in with this kind of fear and nervousness, and you’re thinking, ‘Oh my goodness I’m talking to this famous person,’ he has a manor of relaxing you.
AC: Did you come here looking to get anything out of the conference in terms of your research? Did you find what you were looking for?
JB: Starting grad school, I thought research was all about technical details. I think during the first few years I didn’t realise how much it’s actually about the people doing the research. I didn’t come to the forum specifically hoping to learn about one topic in CS or maths. I came to learn who is working on these different topics. Later on in my research, if I think I have an application where, say, strata field theory might be useful, I know now who are the people that I could go talk to. I won’t be a complete stranger.
AC: It’s about social connections then?
JB: Yes absolutely
AC: So tell us, what was your CMU network password again?
JB: CMU network password? Oh 1-2-3-4-5. I use the same combination on my luggage.
AC: Tell us more specifically what you’re doing in your field.
JB: To summarize, the problem that has fascinated me for the last several years can be stated simply: how can a human user create and remember lots of passwords? It’s a simple problem to describe, and a common problem we all face. Even though this has been a problem for so many years, our understanding of passwords remains incomplete.
I’m very motivated from the standpoint of bringing some of the theoretical tools to bear. Typically, this has been viewed as an empirical problem, so the way you go about solving it is user studies. That’s all fine and good, but I think that the theory community hasn’t been looking at their tools to address the problem. I feel that there are valid tools that will be brought to bear.
I find that when I mention this, often times I feel that people start confessing their password sins to me. I didn’t asked you to apologize, I’m trying to make this easier.
AC: In your opinion, is the way we do passwords today sufficient?
JB: I think that the current state of affairs is generally lacking. People struggle to follow the suggestions that they are given, and it shows. In 2009 RockYou was breached. It’s unfortunate, but one of the things we learned from that is that … users are overburdened with password requirements. Many of the passwords in the set were passwords that adversaries will find easy to guess. This isn’t the user’s fault. Lots of companies have struggled to keep their servers secure – then all of a sudden, even moderate passwords are vulnerable to attack.
AC: People may not understand why they are being asked to include special characters – I doubt it is well understood by the public:
JB: It’s a pain and I’m not even certain that the people who propose these policies understand it. A few years ago, there was a group at CMU who studied using mechanical turk. The users were asked to create passwords with different policies. It was found that as the requirements because more restrictive, that the passwords actually became easier to guess…
AC: It seems kind of obvious that when faced with complex password schemes, users are just going to append the extra requirements to the end of a weak password…
JB: I would go further; you said “it seems obvious” – there is in fact research data that says that this is the case. The problem is that if your password is ‘password’ and you tack on ‘1’ to the end, it’s not any harder for a computer to guess.
One of the other frustrating things is that there are other provable strategies that would be easier to use instead of remembering these special characters or positions of capital letters.
AC: How do you personally do your passwords?
JB: There was a paper we published a while back called Naturally Rehearsing Passwords. Essentially what I do is follow the strategy we describe in that paper. The basic insight behind this scheme is that our memory is large but we need to rehearse secrets that we’ve memorized in order to remember them.
One of the most challening problems in passwords… say you have a password for irs.gov that you visit once per year. I almost guarantee that you aren’t going to remember your password because you haven’t practiced that password in a long time. We looked at how often people need to rehearse a secret in order to make sure that they continue to remember the secret in the future.
With reusing passwords, there are security issues, but one of the nice features of it is that every time you visit that password, you’re nearly guaranteed to remember because you rehearse it so frequently. The key insight was that instead of reusing passwords, you could mix and match secrets that you memorize in a strategic way so that any two websites use different passwords, and in fact an adversary that learns your Amazon password doesn’t learn your email password or any other password. However, every secret is rehearsed frequently so the user is much more likely to remember their passwords.
The easiest way to describe it: I use mnemonic tools to remember the secrets. We pick random stories. For example, you take a photo of a scene and a photo of a celebrity or a friend, and you pick a random action and object. You get funny stories like “Bill Gates swallowing a bike.” This sounds strange, but it’s easier to remember. Every password I have combines these stories in a different way. When I visit eBay I might need to remember a story involving President Bush, but when I visit Amazon I might need to remember the story involving Bill Gates.
What I have is a file on my Google Drive. In the file, there is a list of websites. Each website in the list has my username and pictures that remind me of the stories to remember. I also make notes of modifications. How to capitalize it, anything I had to do to meet password restrictions.
AC: Is the story actually the password?
JB: Yes. The nice thing is that even if you were to steal the file you would not be able to derive my passwords because the secrets are uncorrelated to the cues I use.
AC: What do you suggest that the average user do today to improve their password security?
JB: Password managers can be helpful. I would recommend to users that do adopt a password manager to still have a few different passwords. A few weeks ago the LastPass servers were broken into. They asked their users to change passwords. Even if you use a password manager, that doesn’t guarantee complete security. There still is this master password that if leaked could result in a large number of other breaches.
I will plug an app that we’re working on. It’s still under development. It’s an alternative password manager. It works in the same way as other managers behind the scenes, but in addition, it will include mnemonic tools to help create and remember strong passwords. So every time you type in your password for Amazon, it’s a different password… It also keeps track of how often you rehearsed secrets; it will remind you of secrets you haven’t rehearsed in a while and will prompt you to do so. It’s still a work in progress, but this is what I hope people will start using.
AC: I started a new job and they mandate that I use two-factor authentication for both my home and office accounts. It’s fine, but I sometimes second guess myself. If I lost my phone, would I be OK? Did I download all the codes? I would be fine for the most part, but maybe I forgot to do it for one account I’d lose access.
What do you think of two-factor authentication?
JB: I’m always in favour of two-factor authentication if it can improve security. I wonder if it would be better to move to some thresholded system where it is, say, possible to lose your cell phone without losing your access to a system. When human users are involved there is always the possibility of loss. You forget something, you lose a piece of paper, your cell phone is broken. We need to design systems that continue to provide availability when something goes wrong on the human side.
AC: What’s your app called?
JB: It’s called SmoothPass. It’s available on GitHub.
Andrew Carmichael is a professional software developer with more than ten years of industry experience. Andrew became interested in computing at a young age and has recently changed disciplines from working on large desktop applications to mobile application development.