Cue-Pin-Select, a Secure and Usable Offline Password Scheme

Résumé

People struggle to invent safe passwords for many of their typical online activities, leading to a variety of security problems when they use overly simple passwords or reuse them multiple times with minor modifications. Having different passwords for each service generally requires password managers or memorable (but weak) passwords, introducing other vulnerabilities. Recent research has offered multiple alternatives but those require either rote memorisation or computation on a physical device. This paper describes a secure and usable solution to this problem that requires no assistance from any physical device. We present the Cue-Pin-Select password family scheme that requires little memorisation and allows users to create and retrieve passwords easily. It uses our natural cognitive abilities to be durable, adaptable to different password requirements, and resistant to attacks, including ones involving plain-text knowledge of some passwords from the family. We include a theoretical analysis of its security according to multiple attack models. Finally, we show the promising results of a small-scale user study that put participants in real-life conditions for multiple days