The design of leakage-resilient password systems (LRPSes) in the absence of trusted devices remains a challenging problem today despite two decades of intensive research in the security community. In this paper, we investigate the inherent tradeoff between security and usability in designing LRPS. First, we demonstrate that most of the existing LRPS systems are subject to two types of generic attacks - brute force and statistical attacks, whose power has been underestimated in the literature. Second, in order to defend against these two generic attacks, we introduce five design principles that are necessary to achieve leakage resilience in the absence of trusted devices. We also show that these attacks cannot be effectively mitigated without significantly sacrificing the usability of LRPS systems. Third, to better understand the tradeoff between security and usability of LRPS, we propose for the first time a quantitative analysis framework on usability costs of password systems. By decomposing the authentication process of existing LRPS systems into atomic cognitive operations in psychology, we show that a secure LRPS in practical settings always imposes a considerable amount of cognitive workload on its users, which indicates the inherent limitations of such systems and in turn implies that an LRPS has to incorporate certain trusted devices in order to be both secure and usable.
Digital Communications and Networking
Information Security and Trust
19th Network and Distributed System Security Symposium (NDSS)
City or Country
San Diego, CA
YAN, Qiang; HAN, Jin; LI, Yingjiu; and DENG, Huijie, Robert.
On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability. (2012). 19th Network and Distributed System Security Symposium (NDSS). Research Collection School Of Information Systems.
Available at: http://ink.library.smu.edu.sg/sis_research/1435
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.