Mobile password security by the numbers
Mobile password entry is unnecessarily painful. Here's how auto-correction coupled with "pass sentences" could help.
Passwords are everywhere. We are not allowed to reuse passwords. We must not forget them. We must constantly change them -- and avoid reusing components in order to bolster security -- which of course increases the risks that we will forget them. And time after time, we must enter them.
My least favorite place to enter passwords is on my cell phone. It is much more painful than just entering text. If I write "Hwllo Wiliam" in an email or SMS, my phone will kindly correct this and make it "Hello William". Nice to have some help when the keyboard is the size of a large watch.
But that does not work for passwords.
Why is that? Simply put, because secure passwords should look more like poorly typed or spelled words than their corrected counterparts. In fact, "Hwllo" might be a pretty decent password. But "Hello" sure is not. Just as "ftog" may be ok, but "frog" is not a good password.
Does that mean we should just resign, concluding that passwords will remain painful, and grow increasingly more so as we get used to more and more error correction features for other text entry?
I say no, that is not so.
Let me describe a solution that overcomes the problem -- while improving the security of the system.
Imagine first that we do rely on error correction for password entry. If you enter "ftog", that means "frog" to your computer. Good for you, that makes it easy to enter. And next time you may enter it as "drog" -- or even as "frog", if you are lucky. This password is easy to remember, as it has some meaning.
But hold on, it is not secure, because it is a dictionary word, and as such, it is easily guessed.
Well, no problem. Require another word -– the word "work", for example. The password is now "frog work". (You may enter this real carelessly -– "ftog qiej" will do just fine, and it gets corrected to "frog work". This is obviously more secure, as an attacker who knows that we use two words now must try all two-word combinations until finding the right one. But still it is not eminently secure.
What do we do? I am sure you can guess. Add another word.
A particular user may choose the sequence "frog work flat", which might correspond to the mnemonic "I ran over a frog on my way to work. It became flat." (Psychologists know that colorful mnemonics are easier to remember than less-colorful ones.)
So we have "frog work flat". How secure is that? The frequencies of these words in the English language are 10-5.13, 10-3.20 and 10-4.36. The combination therefore occurs with probability 10-12.7 -- the product of those three frequency values -- or approximately 2-42. That is a strong credential.
But in addition to considering single-word frequencies, we must also look at the frequency of tuples of words. For example, consider "I love you honey". The individual frequencies of those four words are 10-2.35, 10-3.55, 10-2.34 and 10-4.91, which suggests that this would have a frequency product of 10-13.2 -- but the frequency of the quadruple is only 10-7.77, since this is a common phrase. So that is not a strong credential.
What does this give us?
Passwords -- or "pass sentences" -- that are easy to enter on small and error-prone keyboards. (Don't confuse this with pass phrases. Those are not easy to enter, because they do not get helped by error correction.) You could even use a dictation tool and speak the words, if you feel comfortable that nobody can hear you. It improves the security estimates -- we can establish a pretty good idea of just how strong a given pass sentence is. And I would venture a guess that it makes it easier to remember them, because it could mean something to you.
Those of you old enough to remember the good old days of Compuserve and AOL may recall getting assigned a password like "crystal_bumper" when you started the service. While that is a combination of dictionary words, that's where the similarities end. There were no error-correcting features -- nor were any needed. A lot has changed since then.
Markus Jakobsson is a security researcher with interests in applied security, ranging from device security to user interfaces. He is one of the main contributors to the understanding of phishing and crimeware, and is currently focusing his efforts on human aspects of security and mobile security.
He has published three books and over one hundred peer-reviewed conference and journal articles. He holds 45 U.S. patents, some international, and more than a hundred pending patents. He is a co-founder of four startups, spanning user authentication, mobile malware detection, and secure user messaging.