MASCARA: Systematically Generating Memorable And Secure Passphrases. (arXiv:2303.09150v1 [cs.CR])

Passwords are the most common mechanism for authenticating users online.
However, studies have shown that users find it difficult to create and manage
secure passwords. To that end, passphrases are often recommended as a usable
alternative to passwords, which would potentially be easy to remember and hard
to guess. However, as we show, user-chosen passphrases fall short of being
secure, while state-of-the-art machine-generated passphrases are difficult to
remember. In this work, we aim to tackle the drawbacks of the systems that
generate passphrases for practical use. In particular, we address the problem
of generating secure and memorable passphrases and compare them against user
chosen passphrases in use. We identify and characterize 72, 999 user-chosen
in-use unique English passphrases from prior leaked password databases. Then we
leverage this understanding to create a novel framework for measuring
memorability and guessability of passphrases. Utilizing our framework, we
design MASCARA, which follows a constrained Markov generation process to create
passphrases that optimize for both memorability and guessability. Our
evaluation of passphrases shows that MASCARA-generated passphrases are harder
to guess than in-use user-generated passphrases, while being easier to remember
compared to state-of-the-art machine-generated passphrases. We conduct a
two-part user study with crowdsourcing platform Prolific to demonstrate that
users have highest memory-recall (and lowest error rate) while using MASCARA
passphrases. Moreover, for passphrases of length desired by the users, the
recall rate is 60-100% higher for MASCARA-generated passphrases compared to
current system-generated ones.