Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than passwords, because the question serves as a hint to the user, but they are very easily guessed. We propose a new authentication mechanism, called “life-experience passwords (LEPs).” Sitting somewhere between passwords and security questions, an LEP consists of several facts about a user-chosen life event—such as a trip, a graduation, a wedding, and so on. At LEP creation, the system extracts these facts from the user’s input and transforms them into questions and answers. At authentication, the system prompts the user with questions and matches the answers with the stored ones. We show that question choice and design make LEPs much more secure than security questions and passwords, while the question-answer format promotes low password reuse and high recall. Specifically, we find that: (1) LEPs are 10 9 --10 14 × stronger than an ideal, randomized, eight-character password; (2) LEPs are up to 3 × more memorable than passwords and on par with security questions; and (3) LEPs are reused half as often as passwords. While both LEPs and security questions use personal experiences for authentication, LEPs use several questions that are closely tailored to each user. This increases LEP security against guessing attacks. In our evaluation, only 0.7% of LEPs were guessed by casual friends, and 9.5% by family members or close friends—roughly half of the security question guessing rate. On the downside, LEPs take around 5 × longer to input than passwords. So, these qualities make LEPs suitable for multi-factor authentication at high-value servers, such as financial or sensitive work servers, where stronger authentication strength is needed.

中文翻译：

---

使用情景记忆进行用户身份验证

密码广泛用于用户身份验证，但用户通常难以回忆，容易被自动化程序破解，并且被大量重复使用。安全问题也用于二次认证。它们比密码更容易记住，因为问题是对用户的提示，但它们很容易被猜到。我们提出了一种新的身份验证机制，称为“生活体验密码 (LEP)”。LEP 介于密码和安全问题之间，包含有关用户选择的生活事件的几个事实，例如旅行、毕业、婚礼等。在 LEP 创建时，系统从用户的输入中提取这些事实并将其转换为问题和答案。在验证时，系统会提示用户问题并将答案与存储的答案进行匹配。我们展示了问题的选择和设计使 LEP 比安全问题和密码更安全，而问答格式促进了低密码重用和高召回率。具体来说，我们发现：（1）LEP 为 109--1014× 比一个理想的、随机的、八字符密码强；(2) LEP 的易记性是密码的 3 倍，与安全问题相当；(3) LEP 的重复使用频率是密码的一半。虽然 LEP 和安全问题都使用个人经验进行身份验证，但 LEP 使用了几个针对每个用户量身定制的问题。这提高了 LEP 针对猜测攻击的安全性。在我们的评估中，只有 0.7% 的 LEP 被普通朋友猜出，9.5% 被家人或密友猜出——大约是安全问题猜出率的一半。不利的一面是，LEP 的输入时间大约是密码的 5 倍。因此，这些品质使 LEP 适用于需要更强身份验证强度的高价值服务器（例如金融或敏感工作服务器）上的多因素身份验证。