{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,15]],"date-time":"2026-01-15T09:27:16Z","timestamp":1768469236873,"version":"3.49.0"},"reference-count":63,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2019,4,2]],"date-time":"2019-04-02T00:00:00Z","timestamp":1554163200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Institute for Information 8 communications Technology Promotion (IITP), by NRF of Korea by the MSIT","award":["NRF-2017R1C1B5076474"],"award-info":[{"award-number":["NRF-2017R1C1B5076474"]}]},{"name":"Ministry of Science and ICT (MSIT), Korea, under the ICT Consilience Creative program","award":["IITP-2017-R0346-16-1007"],"award-info":[{"award-number":["IITP-2017-R0346-16-1007"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2019,5,31]]},"abstract":"<jats:p>Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than passwords, because the question serves as a hint to the user, but they are very easily guessed. We propose a new authentication mechanism, called \u201clife-experience passwords (LEPs).\u201d Sitting somewhere between passwords and security questions, an LEP consists of several facts about a user-chosen life event\u2014such as a trip, a graduation, a wedding, and so on. At LEP creation, the system extracts these facts from the user\u2019s input and transforms them into questions and answers. At authentication, the system prompts the user with questions and matches the answers with the stored ones. We show that question choice and design make LEPs much more secure than security questions and passwords, while the question-answer format promotes low password reuse and high recall.<\/jats:p>\n          <jats:p>\n            Specifically, we find that: (1) LEPs are 10\n            <jats:sup>9<\/jats:sup>\n            --10\n            <jats:sup>14<\/jats:sup>\n            \u00d7 stronger than an ideal, randomized, eight-character password; (2) LEPs are up to 3 \u00d7 more memorable than passwords and on par with security questions; and (3) LEPs are reused half as often as passwords. While both LEPs and security questions use personal experiences for authentication, LEPs use several questions that are closely tailored to each user. This increases LEP security against guessing attacks. In our evaluation, only 0.7% of LEPs were guessed by casual friends, and 9.5% by family members or close friends\u2014roughly half of the security question guessing rate. On the downside, LEPs take around 5 \u00d7 longer to input than passwords. So, these qualities make LEPs suitable for multi-factor authentication at high-value servers, such as financial or sensitive work servers, where stronger authentication strength is needed.\n          <\/jats:p>","DOI":"10.1145\/3308992","type":"journal-article","created":{"date-parts":[[2019,4,4]],"date-time":"2019-04-04T18:38:37Z","timestamp":1554403117000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Using Episodic Memory for User Authentication"],"prefix":"10.1145","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8983-1542","authenticated-orcid":false,"given":"Simon S.","family":"Woo","sequence":"first","affiliation":[{"name":"Sungkyunkwan University, Suwon, South Korea"}]},{"given":"Ron","family":"Artstein","sequence":"additional","affiliation":[{"name":"USC\/Institute for Creative Technologies, Playa Vista, CA"}]},{"given":"Elsi","family":"Kaiser","sequence":"additional","affiliation":[{"name":"USC\/Linguistics, Los Angeles, CA"}]},{"given":"Xiao","family":"Le","sequence":"additional","affiliation":[{"name":"USC\/Information Sciences Institute, Marina del Rey, CA"}]},{"given":"Jelena","family":"Mirkovic","sequence":"additional","affiliation":[{"name":"USC\/Information Sciences Institute, Marina del Rey, CA"}]}],"member":"320","published-online":{"date-parts":[[2019,4,2]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jmp.2010.08.009"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.5555\/1596409.1596416"},{"key":"e_1_2_1_3_1","unstructured":"The GitHub Blog. 2016. GitHub Security Update: Reused password attack. Retrieved from https:\/\/github.com\/blog\/2190-github-security-update-reused-password-attack.  The GitHub Blog. 2016. GitHub Security Update: Reused password attack. Retrieved from https:\/\/github.com\/blog\/2190-github-security-update-reused-password-attack."},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association, 33--33","author":"Bojinov Hristo","year":"2012","unstructured":"Hristo Bojinov , Daniel Sanchez , Paul Reber , Dan Boneh , and Patrick Lincoln . 2012 . Neuroscience meets cryptography: Designing crypto primitives secure against rubber hose attacks . In Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association, 33--33 . Hristo Bojinov, Daniel Sanchez, Paul Reber, Dan Boneh, and Patrick Lincoln. 2012. Neuroscience meets cryptography: Designing crypto primitives secure against rubber hose attacks. In Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association, 33--33."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.49"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2736277.2741691"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2699390"},{"key":"e_1_2_1_9_1","volume-title":"What\u2019s in a name? In Financial Cryptography and Data Security","author":"Bonneau Joseph","unstructured":"Joseph Bonneau , Mike Just , and Greg Matthews . 2010. What\u2019s in a name? In Financial Cryptography and Data Security . Springer , 98--113. Joseph Bonneau, Mike Just, and Greg Matthews. 2010. What\u2019s in a name? In Financial Cryptography and Data Security. Springer, 98--113."},{"key":"e_1_2_1_10_1","doi-asserted-by":"crossref","unstructured":"N. M. Bradburn L. J. Rips and S. K. Shevell. 1987. Answering autobiographical questions: The impact of memory and inference on surveys. Science 236 4798 (1987).  N. M. Bradburn L. J. Rips and S. K. Shevell. 1987. Answering autobiographical questions: The impact of memory and inference on surveys. Science 236 4798 (1987).","DOI":"10.1126\/science.3563494"},{"key":"e_1_2_1_11_1","unstructured":"Brain Authentication. 2016. http:\/\/brainauth.com\/testdrive\/.  Brain Authentication. 2016. http:\/\/brainauth.com\/testdrive\/."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201912)","author":"Castelluccia Claude","year":"2012","unstructured":"Claude Castelluccia , Markus D\u00fcrmuth , and Daniele Perito . 2012 . Adaptive password-strength meters from Markov models . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201912) . Claude Castelluccia, Markus D\u00fcrmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201912)."},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP\u201914)","volume":"1","author":"Chen Danqi","unstructured":"Danqi Chen and Christopher D. Manning . 2014. A fast and accurate dependency parser using neural networks . In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP\u201914) , Vol. 1 . 740--750. Danqi Chen and Christopher D. Manning. 2014. A fast and accurate dependency parser using neural networks. In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP\u201914), Vol. 1. 740--750."},{"key":"e_1_2_1_14_1","unstructured":"Cognitive password. 2016. http:\/\/en.wikipedia.org\/wiki\/Cognitive password\/.  Cognitive password. 2016. http:\/\/en.wikipedia.org\/wiki\/Cognitive password\/."},{"key":"e_1_2_1_15_1","unstructured":"Microsoft Corporation. 2015. Sketch-based password authentication. US Patent number 8 024 775.  Microsoft Corporation. 2015. Sketch-based password authentication. US Patent number 8 024 775."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2493432.2493453"},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the USENIX Security Symposium","volume":"13","author":"Davis Darren","unstructured":"Darren Davis , Fabian Monrose , and Michael K. Reiter . 2004. On user choice in graphical password schemes . In Proceedings of the USENIX Security Symposium , Vol. 13 . 11--11. Darren Davis, Fabian Monrose, and Michael K. Reiter. 2004. On user choice in graphical password schemes. In Proceedings of the USENIX Security Symposium, Vol. 13. 11--11."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813631"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978942.1979323"},{"key":"e_1_2_1_20_1","unstructured":"Geoff Duncan. 2016. Why haven't biometrics replaced passwords yet? http:\/\/www.digitaltrends.com\/android\/can-biometrics-secure-our-digital-lives\/.  Geoff Duncan. 2016. Why haven't biometrics replaced passwords yet? http:\/\/www.digitaltrends.com\/android\/can-biometrics-secure-our-digital-lives\/."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1037\/10011-000"},{"key":"e_1_2_1_22_1","volume-title":"Retrieved on","author":"Named","year":"2014","unstructured":"Named entity recognition. 2015. Retrieved on October 10, 2014 from https:\/\/en.wikipedia.org\/wiki\/Named-entity_recognition. Named entity recognition. 2015. Retrieved on October 10, 2014 from https:\/\/en.wikipedia.org\/wiki\/Named-entity_recognition."},{"key":"e_1_2_1_23_1","volume-title":"Retrieved on","author":"Pluggable Authentication","year":"2014","unstructured":"Pluggable Authentication Modules for Linux (PAM). 2015. Retrieved on October 10, 2014 from http:\/\/www.linux-pam.org\/. Pluggable Authentication Modules for Linux (PAM). 2015. Retrieved on October 10, 2014 from http:\/\/www.linux-pam.org\/."},{"key":"e_1_2_1_24_1","unstructured":"Freebase. 2016. http:\/\/www.freebase.com\/.  Freebase. 2016. http:\/\/www.freebase.com\/."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/11496137_7"},{"key":"e_1_2_1_26_1","unstructured":"NIST Electronic Authentication Guideline. 2006. NIST Special Publication 800-63 Version 1.0. 2.  NIST Electronic Authentication Guideline. 2006. NIST Special Publication 800-63 Version 1.0. 2."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3174144"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702131"},{"key":"e_1_2_1_29_1","volume-title":"Smith","author":"Heilman Michael","year":"2010","unstructured":"Michael Heilman and Noah A . Smith . 2010 . Good question&excl;Statistical ranking for question generation. In Proceedings of the 2010 Annual Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Association for Computational Linguistics , 609--617. Michael Heilman and Noah A. Smith. 2010. Good question&excl;Statistical ranking for question generation. In Proceedings of the 2010 Annual Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Association for Computational Linguistics, 609--617."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813622"},{"key":"e_1_2_1_31_1","unstructured":"Google Inc. 2015. Facial Recognition. U.S. Patent number 8 457 367.  Google Inc. 2015. Facial Recognition. U.S. Patent number 8 457 367."},{"key":"e_1_2_1_32_1","volume-title":"Retrieved","author":"Google Inc.","year":"2016","unstructured":"Google Inc. 2016 . 10,000 Most Common English Words . Retrieved October 10, 2015 from https:\/\/github.com\/first20hours\/google-10000-english\/. Google Inc. 2016. 10,000 Most Common English Words. Retrieved October 10, 2015 from https:\/\/github.com\/first20hours\/google-10000-english\/."},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the 8th USENIX Security Symposium. Washington DC, 1--14","author":"Jermyn Ian","unstructured":"Ian Jermyn , Alain Mayer , Fabian Monrose , Michael K. Reiter , and Aviel D. Rubin . 1999. The design and analysis of graphical passwords . In Proceedings of the 8th USENIX Security Symposium. Washington DC, 1--14 . Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. 1999. The design and analysis of graphical passwords. In Proceedings of the 8th USENIX Security Symposium. Washington DC, 1--14."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572532.1572543"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.38"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1111\/j.1467-8721.2007.00506.x"},{"key":"e_1_2_1_37_1","volume-title":"23rd USENIX Security Symposium (USENIX Security'14)","author":"Komanduri Saranga","year":"2014","unstructured":"Saranga Komanduri , Richard Shay , Lorrie Faith Cranor , Cormac Herley , and Stuart Schechter . 2014 . Telepathwords: Preventing weak passwords by reading users\u2019 minds . In 23rd USENIX Security Symposium (USENIX Security'14) . 591--606. Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. 2014. Telepathwords: Preventing weak passwords by reading users\u2019 minds. In 23rd USENIX Security Symposium (USENIX Security'14). 591--606."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143129"},{"key":"e_1_2_1_39_1","unstructured":"LTH Semantic Role Labeler. 2015. Retrieved October 10 2014 from http:\/\/barbar.cs.lth.se:8081\/.  LTH Semantic Role Labeler. 2015. Retrieved October 10 2014 from http:\/\/barbar.cs.lth.se:8081\/."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/P14-5010"},{"key":"e_1_2_1_41_1","unstructured":"Luke Mastin. 2016. The Human Memory. Retrieved from http:\/\/www.human-memory.net\/.  Luke Mastin. 2016. The Human Memory. Retrieved from http:\/\/www.human-memory.net\/."},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201917)","author":"Micallef Nicholas","year":"2017","unstructured":"Nicholas Micallef and Nalin Asanka Gamagedara Arachchilage . 2017 . A gamified approach to improve users? Memorability of fall-back authentication . Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201917) . Nicholas Micallef and Nalin Asanka Gamagedara Arachchilage. 2017. A gamified approach to improve users? Memorability of fall-back authentication. Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201917)."},{"key":"e_1_2_1_43_1","unstructured":"Mnemonic Guard. 2015a. http:\/\/www.mneme.co.jp\/english\/index.html.  Mnemonic Guard. 2015a. http:\/\/www.mneme.co.jp\/english\/index.html."},{"key":"e_1_2_1_44_1","unstructured":"Mnemonic Guard Blog. 2015b. http:\/\/mnemonicguard.blogspot.com\/.  Mnemonic Guard Blog. 2015b. http:\/\/mnemonicguard.blogspot.com\/."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1002\/acp.847"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of Customer Focused Mobile Services Workshop.","author":"Nosseir Ann","unstructured":"Ann Nosseir , Richard Connor , and M. D. Dunlop . 2005. Internet authentication based on personal history\u2014A feasibility test . In Proceedings of Customer Focused Mobile Services Workshop. Ann Nosseir, Richard Connor, and M. D. Dunlop. 2005. Internet authentication based on personal history\u2014A feasibility test. In Proceedings of Customer Focused Mobile Services Workshop."},{"key":"e_1_2_1_47_1","unstructured":"THE Corpus of Contemporary American English (COCA). 2015. Retrieved October 10 2014 from http:\/\/corpus.byu.edu\/coca\/.  THE Corpus of Contemporary American English (COCA). 2015. Retrieved October 10 2014 from http:\/\/corpus.byu.edu\/coca\/."},{"key":"e_1_2_1_48_1","unstructured":"Part of-speech tagging. 2015. Retrieved October 10 2014 from https:\/\/en.wikipedia.org\/wiki\/Part-of-speech_tagging.  Part of-speech tagging. 2015. Retrieved October 10 2014 from https:\/\/en.wikipedia.org\/wiki\/Part-of-speech_tagging."},{"key":"e_1_2_1_49_1","unstructured":"Semantic role labeling. 2015. Retrieved October 10 2014 from https:\/\/en.wikipedia.org\/wiki\/Semantic_role_labeling.  Semantic role labeling. 2015. Retrieved October 10 2014 from https:\/\/en.wikipedia.org\/wiki\/Semantic_role_labeling."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.11"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2335356.2335366"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2556288.2557377"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2535813.2535820"},{"key":"e_1_2_1_54_1","unstructured":"Amazon Mechanical Turk. 2018. https:\/\/www.mturk.com\/.  Amazon Mechanical Turk. 2018. https:\/\/www.mturk.com\/."},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3026050"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23103"},{"key":"e_1_2_1_57_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916)","author":"Wash Rick","year":"2016","unstructured":"Rick Wash , Emilee Rader , Ruthie Berman , and Zac Wellmer . 2016 . Understanding password choices: How frequently entered passwords are re-used across websites . In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916) . Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices: How frequently entered passwords are re-used across websites. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS\u201916)."},{"key":"e_1_2_1_58_1","volume-title":"The Free Encyclopedia","author":"Wikipedia","year":"2004","unstructured":"Wikipedia , The Free Encyclopedia . 2004 . Retrieved on February 12, 2016 from https:\/\/en.wikipedia.org\/wiki\/Main_Page. Wikipedia, The Free Encyclopedia. 2004. Retrieved on February 12, 2016 from https:\/\/en.wikipedia.org\/wiki\/Main_Page."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991107"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/W16-6632"},{"key":"e_1_2_1_61_1","volume-title":"Proceedings of the 10th International Conference on Passwords (Passwords).","author":"Simon","unstructured":"Simon S. Woo and Jelena Mirkovic. 2016. Improving recall and security of passphrases through use of mnemonics . In Proceedings of the 10th International Conference on Passwords (Passwords). Simon S. Woo and Jelena Mirkovic. 2016. Improving recall and security of passphrases through use of mnemonics. In Proceedings of the 10th International Conference on Passwords (Passwords)."},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/AINA.2008.40"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.5087\/dad.2012.206"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3308992","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3308992","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T00:58:03Z","timestamp":1750208283000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3308992"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,4,2]]},"references-count":63,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2019,5,31]]}},"alternative-id":["10.1145\/3308992"],"URL":"https:\/\/doi.org\/10.1145\/3308992","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,4,2]]},"assertion":[{"value":"2018-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-04-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}