TY - GEN
T1 - Open Sesame! On the Security and Memorability of Verbal Passwords
AU - Kim, Eunsoo
AU - Lee, Kiho
AU - Kim, Doowon
AU - Kim, Hyoungshick
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Despite extensive research on text passwords, the security and memorability of verbal passwords-spoken rather than typed-remain underexplored. Verbal passwords hold significant potential for scenarios where keyboard input is impractical (e.g., smart speakers, wearables, vehicles) or users have motor impairments that make typing difficult. Through two large-scale user studies, we assessed the viability of verbal passwords. In our first study (N = 2,085), freely chosen verbal passwords were found to have a limited guessing space, with 39.76% cracked within 109 guesses. However, in our second study (n = 600), applying word count and blocklist policies for verbal password creation significantly enhanced verbal password performance, achieving better memorability and security than traditional text passwords. Specifically, 65.6% of verbal password users (under the password creation policy using minimum word counts and a blocklist) successfully recalled their passwords in long-term tests, compared to 54.11% for text passwords. Additionally, verbal passwords with enforced policies exhibited a lower crack rate (6.5%) than text passwords (10.3%). These findings highlight verbal passwords as a practical and secure alternative for contexts where text passwords are infeasible, offering strong memorability with robust resistance to guessing attacks.
AB - Despite extensive research on text passwords, the security and memorability of verbal passwords-spoken rather than typed-remain underexplored. Verbal passwords hold significant potential for scenarios where keyboard input is impractical (e.g., smart speakers, wearables, vehicles) or users have motor impairments that make typing difficult. Through two large-scale user studies, we assessed the viability of verbal passwords. In our first study (N = 2,085), freely chosen verbal passwords were found to have a limited guessing space, with 39.76% cracked within 109 guesses. However, in our second study (n = 600), applying word count and blocklist policies for verbal password creation significantly enhanced verbal password performance, achieving better memorability and security than traditional text passwords. Specifically, 65.6% of verbal password users (under the password creation policy using minimum word counts and a blocklist) successfully recalled their passwords in long-term tests, compared to 54.11% for text passwords. Additionally, verbal passwords with enforced policies exhibited a lower crack rate (6.5%) than text passwords (10.3%). These findings highlight verbal passwords as a practical and secure alternative for contexts where text passwords are infeasible, offering strong memorability with robust resistance to guessing attacks.
UR - https://www.scopus.com/pages/publications/105009329293
U2 - 10.1109/SP61157.2025.00130
DO - 10.1109/SP61157.2025.00130
M3 - Conference contribution
AN - SCOPUS:105009329293
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 720
EP - 739
BT - Proceedings - 46th IEEE Symposium on Security and Privacy, SP 2025
A2 - Blanton, Marina
A2 - Enck, William
A2 - Nita-Rotaru, Cristina
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 46th IEEE Symposium on Security and Privacy, SP 2025
Y2 - 12 May 2025 through 15 May 2025
ER -