# Human-Usable Password Schemas: Beyond Information-Theoretic Security

**Authors:** Elan Rosenfeld, Santosh Vempala, Manuel Blum

arXiv: 1906.00029 · 2019-06-04

## TL;DR

This paper evaluates the practical security of password schemas against real-world adversaries, revealing that many schemas are vulnerable and emphasizing the need for complex constraints to enhance security.

## Contribution

It provides a complexity-theoretic analysis of password schemas, contrasting with previous information-theoretic approaches, and offers insights into designing more secure schemas.

## Key findings

- Several schemas are vulnerable to computationally bounded adversaries.
- Introducing multiple constraints per challenge-response pair enhances schema security.
- Practical security analysis differs significantly from infinite adversary models.

## Abstract

Password users frequently employ passwords that are too simple, or they just reuse passwords for multiple websites. A common complaint is that utilizing secure passwords is too difficult. One possible solution to this problem is to use a password schema. Password schemas are deterministic functions which map challenges (typically the website name) to responses (passwords). Previous work has been done on developing and analyzing publishable schemas, but these analyses have been information-theoretic, not complexity-theoretic; they consider an adversary with infinite computing power.   We perform an analysis with respect to adversaries having currently achievable computing capabilities, assessing the realistic practical security of such schemas. We prove for several specific schemas that a computer is no worse off than an infinite adversary and that it can successfully extract all information from leaked challenges and their respective responses, known as challenge-response pairs. We also show that any schema that hopes to be secure against adversaries with bounded computation should obscure information in a very specific way, by introducing many possible constraints with each challenge-response pair. These surprising results put the analyses of password schemas on a more solid and practical footing.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.00029/full.md

---
Source: https://tomesphere.com/paper/1906.00029