Enterprise Organization of National Program of Excellence in Software

Security Engineering Laboratory (SecLab) at SKKU (Advisor: Kim Hyung-sik, https://seclab.skku.edu) – "Open Sesame! On the Security and Memorability of Verbal Passwords" Accepted for IEEE Symposium on Security and Privacy (S&P) 2025

The paper "Open Sesame! On the Security and Memorability of Verbal Passwords," conducted by Ph.D. candidate Kim Eun-soo and Professor Kim Hyung-sik at the Security Engineering Laboratory, has been accepted for publication at the IEEE Symposium on Security and Privacy (S&P) 2025, one of the most prestigious conferences in the field of computer security. The study was conducted in collaboration with Professor Kim Doo-won of the University of Tennessee and alumnus Lee Ki-ho from the Security Engineering Laboratory (currently at ETRI).

The research quantitatively analyzed the security and memorability of verbal passwords through two large-scale user experiments, demonstrating that verbal passwords offer a practical and secure alternative to traditional text-based passwords by overcoming their inherent limitations.

In the first user experiment, verbal passwords freely generated by 2,085 participants were evaluated for both short-term and long-term memorability as well as security. Security testing conducted using the PassphraseGPT model—trained on over 20 million common English phrases—revealed that approximately 39.76% of the user-generated verbal passwords could be predicted within one billion guess attempts.

In the second experiment, involving 600 participants, a password creation policy that enforced a minimum word count and incorporated a blocklist was implemented. This approach significantly improved security while maintaining ease of memorability. In long-term memory tests, 65.6% of users in the verbal password group were able to successfully recall their passwords, compared to 54.11% for text-based passwords. Moreover, the proportion of verbal passwords susceptible to guessing attacks was lower than that of text passwords, indicating a stronger resistance to such attacks.

This research has been highly acclaimed for demonstrating that verbal passwords provide a practical and secure alternative to text-based passwords in scenarios where keyboard input is either impossible or inconvenient—such as with smart assistants, wearable devices, in-vehicle systems, and VR/AR environments. The study will be presented in May 2025 in San Francisco, California, USA.

Abstract

Despite extensive research on text passwords, the security and memorability of verbal passwords—spoken rather than typed—remain underexplored. Verbal passwords hold significant potential for scenarios where keyboard input is impractical (e.g., smart speakers, wearables, vehicles) or users have motor impairments that make typing difficult. Through two large-scale user studies, we assessed the viability of verbal passwords. In our first study (N = 2,085), freely chosen verbal passwords were found to have a limited guessing space, with 39.76% cracked within 10^9 guesses. However, in our second study (n = 600), applying word count and blocklist policies for verbal password creation significantly enhanced verbal password performance, achieving better memorability and security than traditional text passwords. Specifically, 65.6% of verbal password users (under the password creation policy using minimum word counts and a blocklist) successfully recalled their passwords in long-term tests, compared to 54.11% for text passwords. Additionally, verbal passwords with enforced policies exhibited a lower crack rate (6.5%) than text passwords (10.3%). These findings highlight verbal passwords as a practical and secure alternative for contexts where text passwords are infeasible, offering strong memorability with robust resistance to guessing attacks.