The idea of using passphrases for storing stronger secrets has been around since at least 1982, yet little work has been done to improve the usability of this method. Diceware, the de facto method and passphrase wordlist, contains wonderfully easy to remember words such as "aeneid", "zh", and "$$" (Let's not get started on "h", "hh", "hhh" and "hhhh"). Moreover, extended language support for Diceware is often based on translations of the original wordlist, which contains numerous Americanisms such as "howdy", "hubbub", and "Boise".
In this talk, we will discuss the problems facing passphrases in the present, and propose alternative approaches to passphrase wordlist generation. We will discuss our our own method for creating localized wordlists and how this method is being tested using Peerio as a real-world test site and analyzed by our academic partners. Specifically, we argue that accounting for cultural and social variables in language usage can provide stronger, more memorable, and in some cases shorter passphrases than existing models. Finally, we would like to open the discussion to assess possible faults with this method, identify potential improvements, and consider other ways in which we as a community can collaboratively improve the overall user experience of passphrases.
A humanities geek who became interested in privacy after years of studying Foucault, panopticism, and post-structuralist theories of power. In attempts to become less arcane in daily conversation, this interest evolved into taking up critical literature studies focusing on how science-fiction can serve to guide real world cultural and political values. With Peerio, I take on much of the non-technical work, serving as user advocate and general product manager (dev herder). I dabble in password and authentication usability research. Ask me about how the Animatrix is a perfect vision of Marx's proletariate revolution, or about how we can try to make passwords and passphrases less terrible.
CTO @ Peerio