MASCARA : Systematically Generating Memorable And Secure Passphrases

Passwords are the most common mechanism for authenticating users online. However, studies have shown that users find it difficult to create and manage secure passwords. To that end, passphrases are often recommended as a usable alternative to passwords, which would potentially be easy to remember and hard to guess. However, as we show, user-chosen passphrases fall short of being secure, while state-of-the-art machine-generated passphrases are difficult to remember. In this work, we aim to tackle the drawbacks of the systems that generate passphrases for practical use. In particular, we address the problem of generating secure and memorable passphrases and compare them against user chosen passphrases in use. We identify and characterize 72, 999 user-chosen in-use unique English passphrases from prior leaked password databases. Then we leverage this understanding to create a novel framework for measuring memorability and guessability of passphrases. Utilizing our framework, we design MASCARA, which follows a constrained Markov generation process to create passphrases that optimize for both memorability and guessability. Our evaluation of passphrases shows that MASCARA -generated passphrases are harder to guess than in-use user-generated passphrases, while being easier to remember compared to state-of-the-art machine-generated passphrases. We conduct a two-part user study with crowdsourcing platform Prolific to demonstrate that users have highest memory-recall (and lowest error rate) while using MASCARA passphrases. Moreover, for passphrases of length desired by the users, the recall rate is 60-100% higher for MASCARA-generated passphrases compared to current system-generated ones.

• Publication year

  2023

• Venue

  ACM Asia Conference on Computer and Communications Security

• Publication date

  2023-03-16

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3579856.3582839arXiv 2303.09150
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Don't Forget the Stuffing! Revisiting the Security Impact of Typo-Tolerant Password Authentication

  2021influential reference
• Alice in Passphraseland: Assessing the Memorability of Familiar Vocabularies for System-Assigned Passphrases

  2021cited by this paper
• How Do We Create a Fantabulous Password?

  2020influential reference
• Beyond Credential Stuffing: Password Similarity Models Using Neural Networks

  2019influential reference
• Optiwords: A new password policy for creating memorable and strong passwords

  2019cited by this paper
• Protocols for Checking Compromised Credentials

  2019cited by this paper
• Language Models are Unsupervised Multitask Learners

  2019cited by this paper
• Forgetting of Passwords: Ecological Theory and Data

  2018cited by this paper
• Improving security and usability of passphrases with guided word choice

  2018cited by this paper
• A first look at the usability of bitcoin key management

  2018cited by this paper
• Reinforcing System-Assigned Passphrases Through Implicit Learning

  2018cited by this paper
• An efficient method to enhance Bitcoin wallet security

  2017cited by this paper
• The TypTop System: Personalized Typo-Tolerant Password Checking

  2017cited by this paper
• Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks

  2016cited by this paper
• Targeted Online Password Guessing: An Underestimated Threat

  2016cited by this paper
• pASSWORD tYPOS and How to Correct Them Securely

  2016cited by this paper
• Improving Recall and Security of Passphrases Through Use of Mnemonics

  2016cited by this paper
• Conformal Mapping of Rectangular Heptagons II

  2016cited by this paper
• Measuring Real-World Accuracies and Biases in Modeling Password Guessability

  2015influential reference
• Surpass: System-initiated User-replaceable Passwords

  2015cited by this paper
• Monte Carlo Strength Evaluation: Fast and Reliable Password Checking

  2015cited by this paper
• Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues

  2015cited by this paper
• On Measures of Entropy and Information

  2015cited by this paper
• Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right

  2015cited by this paper
• How to Memorize a Random 60-Bit String

  2015cited by this paper
• The Belmont Report

  2014cited by this paper
• The Password Life Cycle: User Behaviour in Managing Passwords

  2014cited by this paper
• Representatively memorable: sampling the right phrase set to get the text entry experiment right

  2014cited by this paper
• A Study of Probabilistic Password Models

  2014cited by this paper
• The Tangled Web of Password Reuse

  2014cited by this paper
• Does my password go up to eleven?: the impact of password meters on password selection

  2013cited by this paper
• How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation

  2012cited by this paper
• Performance comparisons of phrase sets and presentation styles for text entry evaluations

  2012cited by this paper
• You Had Me at Hello: How Phrasing Affects Memorability

  2012cited by this paper
• Statistical Metrics for Individual Password Strength

  2012cited by this paper
• Correct horse battery staple: exploring the usability of system-assigned passphrases

  2012cited by this paper
• Linguistic Properties of Multi-word Passphrases

  2012cited by this paper
• Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

  2012cited by this paper
• The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

  2012cited by this paper
• Steven Bird, Ewan Klein and Edward Loper: Natural Language Processing with Python, Analyzing Text with the Natural Language Toolkit

  2010cited by this paper
• Testing metrics for password creation policies by attacking large sets of revealed passwords

  2010cited by this paper
• A Behavioral Analysis of Passphrase Design and Effectiveness

  2009cited by this paper
• The Oxford Textbook of Clinical Research Ethics

  2008cited by this paper
• Passphrase with Semantic Noises and a Proof on Its Higher Information Rate

  2007cited by this paper
• Human selection of mnemonic phrase-based passwords

  2006cited by this paper
• Password memorability and security: empirical results

  2004cited by this paper
• A character-level error analysis technique for evaluating text entry methods

  2002cited by this paper
• Foiling the cracker: A survey of, and improvements to, password security

  1992cited by this paper
• An Estimate of an Upper Bound for the Entropy of English

  1992cited by this paper
• Major Cities of the World

  1991cited by this paper
• A theory of reading: from eye fixations to comprehension.

  1980cited by this paper

• iPassGen: Enhancing Password Security Through Breach Analysis and Intelligent Passphrase Generation

  2025cites this paper
• Improving password policy strategies: a government employee perspective

  2025cites this paper
• Evaluating the Strength and Availability of Multilingual Passphrase Authentication

  2025cites this paper
• Choose From a List: A User Study of Random Password Memorability

  2025cites this paper
• LLM-Generated Passphrases That Are Secure and Easy to Remember

  2025cites this paper
• Improving Users' Passwords with DPAR: a Data-driven Password Recommendation System

  2024cites this paper
• Construção e Teste de app gamificado gerador de senhas fortes e memoráveis: Um estudo exploratório em cibersegurança

  2024cites this paper
• The Impact of Exposed Passwords on Honeyword Efficacy

  2023cites this paper
• Usability and Security of Knowledge-based Authentication Systems: A State-of-the-Art Review

  2023cites this paper