System-Assigned Passwords You Can’t Write Down, But Don’t Need To

摘要

We explore the feasibility of Tacit Secrets: systemassigned passwords that you can remember, but cannot write down or otherwise communicate. We design an approach to creating Tacit Secrets based on Contextual Cueing, an implicit learning method previously studied in the cognitive psychology literature. Our feasibility study involving 30 participants indicates that our approach has strong security properties: resistance to brute-force attacks, online attacks, phishing attacks, and some coercion attacks. It also offers protection against leaks from other verifiers as the secrets are system-assigned. Our approach also has a high login success rate and low false positive rates. We explore the trade-offs of different configurations of our design and provide insight into valuable directions for future work.