Alice in Passphraseland: Assessing the Memorability of Familiar Vocabularies for System-Assigned Passphrases

Text-based secrets are still the most commonly used authentication mechanism in information systems. IT managers must strike a balance between security and memorability while developing password policies. Initially introduced as more secure authentication keys that people could recall, passphrases are passwords consisting of multiple words. However, when left to the choice of users, they tend to choose predictable natural language patterns in passphrases, resulting in vulnerability to guessing attacks. System-assigned authentication keys can be guaranteed to be secure, but this comes at a cost to memorability. In this study we investigate the memorability of system-assigned passphrases from a familiar vocabulary to the user. The passphrases are generated with the Generative Pre-trained Transformer 2 (GPT-2) model trained on the familiar vocabulary and are readable, pronounceable, sentence like passphrases resembling natural English sentences. Through an online user study with 500 participants on Amazon Mechanical Turk, we test our hypothesis - following a spaced repetition schedule, passphrases as natural English sentences, based on familiar vocabulary are easier to recall than passphrases composed of random common words. As a proof-of-concept, we tested the idea with Amazon Mechanical Turk participants by assigning them GPT-2 generated passphrases based on stories they were familiar with. Contrary to expectations, following a spaced repetition schedule, passphrases as natural English sentences, based on familiar vocabulary performed similarly to system-assigned passphrases based on random common words.