Security proponents heavily emphasize the importance of choosing a strong password (one with high entropy). Unfortunately, by design, most humans are apparently incapable of generating such passwords, or memorizing a random-looking, machine-generated one for longterm use. Infrequently used passwords pose even bigger security and usability problems. We exploit the fact that many users now own or have access to a large quantity of digitized personal or personally meaningful content in designing an object-based password scheme called ObPwd. ObPwd enables users to select a password generating object from their local collection or from the web, and then converts the password object (e.g. an image, a particular piece of music, excerpt from a book) to a (potentially) high-entropy text password that can be used for regular or secondary web authentication, or in local applications (e.g. encryption). Instead of requiring users to memorize an exact password, ObPwd only requires one to remember a...
Mohammad Mannan, Paul C. van Oorschot