Myphrase: Strong and Memorable Passwords from Your Own Words
See the Tech Report.
Description and Motivation:
Most users choose passwords from a limited dictionary of words, phrases, or number/
letter sequences. Trying to change user behaviour to
improve password security is a lost cause; however we are stuck with passwords as
most digital providers are reluctant to adopt new server-side authentication mechanisms.
another possibility: encouraging users to use words they are comfortable with,
but without sacrificing password strength or ignoring "best-practice" rules for
password selection. In Myphrase, users create a small dictionary
from content they authored (e.g., emails, documents, and blogs);
or select a pre-created dictionary from a topic they are familiar with.
A master passphrase is randomly chosen from the dictionary.
We propose two variants to compromise security and memorability: words may be
chosen uniformly across the dictionary, or inserted into sentence
templates to create prose. We then create unique website-specific passwords
from the master passphrase by salting the passphrase with the website domain.
Myphrase is designed to be compatible with both desktop and mobile platforms:
auto-complete suggestions from the dictionary can drastically reduce typing.
passphrase alleviates the burden of memorizing multiple passwords. It also allows
web content providers to maintain the de-facto password authentication schema.
To restrict offline attacks on the master passphrase (if a site password has been
exposed) we expect the passphrase to be of sufficient length (e.g., 6 words from
a 2048-word dictionary).
- The user must memorize only one passphrase for many websites.
- This passphrase is easy to remember since it is taken from the user's familiar
vocabulary, and employs memorable syntactic and semantic structures.
- The passphrase is randomly system chosen and is therefore stronger than
user chosen passwords.
- If a site password has been exposed, an attacker does not gain a significant
advantage against other passwords or the master passphrase.
- Any one site password can be updated without the need to change other
passwords or the master passphrase.
- Site passwords are server-compatible and each site password can be made to
respect different constraints (e.g., use of special characters, or minimum length)
- The auto-suggest feature allows the user to quickly enter a long phrase,
especially important for mobile devices
All functionality for the Myphrase addon is available through the context menu (right-click menu).
See figure 1 below. Be sure to check the preferences before using the tool.
Figure 1: Myphrase Context Menu
- Generate Personal Dictionary - This feature is available in the Preferences window; see figure 3. Our tool can currently build
a dictionary from text files, html files, or from your "Sent" mailbox if you use the
Simple Mail Firefox addon; see figure 2.
You can also choose one of our pre-built dictionaries from the preferences window,
or manually create one of your own. Most document formats can be "saved-as" text
(e.g., MS Word, PDF, etc.) or HTML (e.g., ePub books, online blogs, etc.)
Figure 2: Myphrase Build Dictionary Dialog
Figure 3: Myphrase Preferences Dialog
- Generate your 'Myphrase' - Select the option to generate a randomly selected
phrase from words in your dictionary; see figure 4. You can choose one of two
methods: a random sequence of words, or a proper sentence. The random sequence
is more secure, but less memorable than the proper sentence.
If you aren't satisfied with the passphrase keep clicking 'generate' until you
get one you like. You can keep certain words and selectively regenerate others
by checking the boxes next to the words you want to keep. You can only regenerate
so many words before the phrase will reset. This is to ensure you don't add too
much predictability to the passphrase. You must memorize or write
down this phrase: we don't store it in the software, and cannot regenerate it.
Figure 4: Generate Master Passphrase
- Use Myphrase in Web Applications - You can use your Myphrase to derive
passwords for as many web sites as you want. When creating an account, changing passwords,
or logging into web applications: right-click inside the password field. A new
option will be available in the context menu: "Insert Site Password Here". Select that
option to generate and insert your site specific password; see figure 1. You will be
prompted to enter your master passphrase; see figure 5. Auto-complete suggestions can be
selected to speed up this step, and should help jog your memory.
Each site password is unique and exhibits characteristics of strong attack
resistance. We iterate a hash function 32768 times to slow guessing attacks against
Figure 5: Insert Site Password
- Send us Feedback - We welcome any feedback or comments you have about our tool.
Tell us what features you would like to see, or what aspects you find less than satisfactory.
You can find contact information at the bottom of this page.
Using the Myphrase Soft-Keyboard you can generate site passwords using a
dictionary and passphrase you created on the desktop version.
At this time the Myphrase keyboard is a prototype and does not include all features
found in the desktop version.
Known issues in the mobile version include:
- Switch to Myphrase Keyboard - You must enable the Myphrase keyboard
from the Android "Language and Input" Settings menu; see figure 6. When faced with
a login prompt, switch to the Myphrase input device by pulling down the notification
bar; see figure 7.
Figure 6: Enable Myphrase Keyboard
Figure 7: Select "Choose Input Method" from the notification bar, and select
the Myphrase keyboard option
- Generate Site Password - Now tap inside the password field
and type in your passphrase. Auto-complete suggestions can be selected to
speed up this step . Click press enter (lock icon) or close the keyboard
to generate the site password. Your site password will be inserted into the
webpage; see figures below. NOTE: the password field will not fill in until
you press enter. This is to prevent exposure of your master passphrase.
Figure 8: Type and Auto-Complete your passphrase, then press Enter to insert
it into the webpage.
- Cannot operate as a standard keyboard (i.e., always hashes text). In a future
version we may use a modifier (cf. "Shift") to turn on hashing.
- Preferences (incl. Site specific) are not yet implemented.
- Dictionary must be in the SD card root, named "myphrase_dictionary.txt".
- URL capture is problematic when multiple are tabs open.
- So far it only works with web services, not apps. If a app's package name
differs from the associated domain, the generated passwords will be different
(e.g., gmail.com vs. com.google.gmail-app).
CCSL - Carleton University
CIISE - Concordia University
Last Updated: 27-Aug-13