Creating passwords that are memorable, hintable and resistant to attack is an increasingly important issue, especially in the age of savvy cyber-hackers — but computer-generated passwords are often too hard for people to remember, experts say.
It turns out that the challenge of creating attack-resistant passwords is a perfect fit for two departments who at first glance might seem to have little in common: linguistics and computer science.
In 2013, the National Science Foundation awarded UNC faculty members from both disciplines a $500,000 multi-year grant to study password security.
“This is such a relatable problem that we all have to deal with. … We wondered, ‘To what extent can we have the user influence a system-generated password?’” said computer scientist Fabian Monrose. “We wanted to first understand the constraints people are under in coming up with passwords.”
Linguists Elliott Moreton, Jennifer Smith and Katya Pertsova began to explore the idea of lexical blends, words like “brunch” (for breakfast/lunch) or “spork” (for spoon/fork). Moreton quickly dubbed the new NSF-funded partnership “The Spork Lab” and ordered titanium sporks for everyone. The utensils are both flexible and strong, just like the interdepartmental collaboration, he said.
The lexical blend “fantabulous” even made its way into one of their joint papers: “Isn’t that Fantabulous: Security, Linguistic and Usability Challenges of Pronounceable Tokens.”
The researchers had a lot of questions they wanted to explore, such as: Just how big is blend space? If you make up a blended word, how do you measure its pronounceability? What kind of choices do people make in preserving parts of a word when they make a blend; i.e., do they choose to create flamingoose or flamongoose (when blending flamingo and mongoose?)
Our new paper reveals that, in general, people “tend to preserve more of a word that better predicts overall meaning,” Pertsova said.
“With passwords, one of the things that facilitates memorability is predictability, and that of course undermines security,” Moreton added. “They are at war with each other.”
It’s been a fertile area of exploration for both the faculty members and graduate students. The grant has supported masters’ theses, journal articles, papers for international conferences and more. Several projects have extended the work beyond English into Japanese and Spanish.
Monrose said they are also examining how many different source words might be needed to create a blend that’s resistant to attack, since password length — “we think the sweet spot is probably in the 16-character range” — also matters.
The original grant ends this year, but The Spork Lab has recently learned that another proposal has been recommended for funding by the NSF. The new three-year grant would fund a collaboration with linguists and neuroscientists at the University of Massachusetts at Amherst to investigate whether linguistic and nonlinguistic patterns are learned using the same cognitive processes.
“We hope to take all of this information into the next phase and determine how to design algorithms to generate passwords that are resistant to attack; we need more data to better understand all of the techniques available to the adversary,” said Monrose, who has woven some of the group’s initial findings into his introductory course on computer security.
By chance, it was an undergraduate student pursuing a dual major in linguistics and computer science who first brought the faculty members together in a cross-disciplinary partnership that everyone hopes will continue.
“It’s been really fun to collaborate with someone in a separate field and have him look at your work and ask questions about it,” Smith said. “We all come at the issue from different angles.”
By Kim Weaver Spurr ’88
Read more stories about interdisciplinary mashups: