Myphrase: Strong and Memorable Passwords from Your Own Words

Tech Report:

Description and Motivation:

Most users choose passwords from a limited dictionary of words, phrases, or number/ letter sequences. Trying to change user behaviour to improve password security is a lost cause; however we are stuck with passwords as most digital providers are reluctant to adopt new server-side authentication mechanisms.

We explore another possibility: encouraging users to use words they are comfortable with, but without sacrificing password strength or ignoring "best-practice" rules for password selection. In Myphrase, users create a small dictionary from content they authored (e.g., emails, documents, and blogs); or select a pre-created dictionary from a topic they are familiar with.

A master passphrase is randomly chosen from the dictionary. We propose two variants to compromise security and memorability: words may be chosen uniformly across the dictionary, or inserted into sentence templates to create prose. We then create unique website-specific passwords from the master passphrase by salting the passphrase with the website domain.

Myphrase is designed to be compatible with both desktop and mobile platforms: auto-complete suggestions from the dictionary can drastically reduce typing. Reusing the passphrase alleviates the burden of memorizing multiple passwords. It also allows web content providers to maintain the de-facto password authentication schema. To restrict offline attacks on the master passphrase (if a site password has been exposed) we expect the passphrase to be of sufficient length (e.g., 6 words from a 2048-word dictionary).

In summation:

The user must memorize only one passphrase for many websites.
This passphrase is easy to remember since it is taken from the user's familiar vocabulary, and employs memorable syntactic and semantic structures.
The passphrase is randomly system chosen and is therefore stronger than user chosen passwords.
If a site password has been exposed, an attacker does not gain a significant advantage against other passwords or the master passphrase.
Any one site password can be updated without the need to change other passwords or the master passphrase.
Site passwords are server-compatible and each site password can be made to respect different constraints (e.g., use of special characters, or minimum length)
The auto-suggest feature allows the user to quickly enter a long phrase, especially important for mobile devices

Downloads:

Myphrase 1.04 Firefox Extension
MD5: d90ac559e8e0e9811622d3cc65ab5c11

Myphrase Android Soft-Keyboard 0.3
MD5: 5033f597aac2b267cb22e51290c38b17

DEPRICATED: Myphrase Mobile 0.1.2 (Fennec 10.x or below)
MD5: 1f1a3740840403005c03bdff11dd7122

Myphrase Web Based Password Generator
For use with other devices and browsers (e.g., iOS, Chrome, etc.)

Usage (Desktop):

All functionality for the Myphrase addon is available through the context menu (right-click menu). See figure 1 below. Be sure to check the preferences before using the tool.

Figure 1: Myphrase Context Menu

Generate Personal Dictionary - This feature is available in the Preferences window; see figure 3. Our tool can currently build a dictionary from text files, html files, or from your "Sent" mailbox if you use the Simple Mail Firefox addon; see figure 2. You can also choose one of our pre-built dictionaries from the preferences window, or manually create one of your own. Most document formats can be "saved-as" text (e.g., MS Word, PDF, etc.) or HTML (e.g., ePub books, online blogs, etc.)

Figure 2: Myphrase Build Dictionary Dialog

Figure 3: Myphrase Preferences Dialog

Generate your 'Myphrase' - Select the option to generate a randomly selected phrase from words in your dictionary; see figure 4. You can choose one of two methods: a random sequence of words, or a proper sentence. The random sequence is more secure, but less memorable than the proper sentence. If you aren't satisfied with the passphrase keep clicking 'generate' until you get one you like. You can keep certain words and selectively regenerate others by checking the boxes next to the words you want to keep. You can only regenerate so many words before the phrase will reset. This is to ensure you don't add too much predictability to the passphrase. You must memorize or write down this phrase: we don't store it in the software, and cannot regenerate it.

Figure 4: Generate Master Passphrase

Use Myphrase in Web Applications - You can use your Myphrase to derive passwords for as many web sites as you want. When creating an account, changing passwords, or logging into web applications: right-click inside the password field. A new option will be available in the context menu: "Insert Site Password Here". Select that option to generate and insert your site specific password; see figure 1. You will be prompted to enter your master passphrase; see figure 5. Auto-complete suggestions can be selected to speed up this step, and should help jog your memory. Each site password is unique and exhibits characteristics of strong attack resistance. We iterate a hash function 32768 times to slow guessing attacks against your passphrase.

Figure 5: Insert Site Password

Send us Feedback - We welcome any feedback or comments you have about our tool. Tell us what features you would like to see, or what aspects you find less than satisfactory. You can find contact information at the bottom of this page.

Usage (Mobile):

Using the Myphrase Soft-Keyboard you can generate site passwords using a dictionary and passphrase you created on the desktop version.

Switch to Myphrase Keyboard - You must enable the Myphrase keyboard from the Android "Language and Input" Settings menu; see figure 6. When faced with a login prompt, switch to the Myphrase input device by pulling down the notification bar; see figure 7.

Figure 6: Enable Myphrase Keyboard

Figure 7: Select "Choose Input Method" from the notification bar, and select the Myphrase keyboard option

Generate Site Password - Now tap inside the password field and type in your passphrase. Auto-complete suggestions can be selected to speed up this step . Click press enter (lock icon) or close the keyboard to generate the site password. Your site password will be inserted into the webpage; see figures below. NOTE: the password field will not fill in until you press enter. This is to prevent exposure of your master passphrase.

Figure 8: Type and Auto-Complete your passphrase, then press Enter to insert it into the webpage.

At this time the Myphrase keyboard is a prototype and does not include all features found in the desktop version. Known issues in the mobile version include:

Cannot operate as a standard keyboard (i.e., always hashes text). In a future version we may use a modifier (cf. "Shift") to turn on hashing.
Preferences (incl. Site specific) are not yet implemented.
Dictionary must be in the SD card root, named "myphrase_dictionary.txt".
URL capture is problematic when multiple are tabs open.
So far it only works with web services, not apps. If a app's package name differs from the associated domain, the generated passwords will be different (e.g., gmail.com vs. com.google.gmail-app).

Contributors:

Adam Skillen
CCSL - Carleton University
Homepage: https://www.ccsl.carleton.ca/~askillen/

Mohammad Mannan
CIISE - Concordia University
Homepage: http://www.encs.concordia.ca/~mmannan

Last Updated: 27-Aug-13