A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Our agenda is two-fold. First, we introduce and give a technical description of gridWord, a novel knowledge-based authentication mechanism involving elements of both text and graphical passwords. It is intended to address a new research challenge arising from the evolution of Internet access devices, and which may arguably be viewed as motivating a new paradigm: remote access password schemes which accommodate users who alternately login from devices with, and without, full physical keyboards (e.g., users alternating between desktops with easy text input, and mobile devices with tiny or touch-screen virtual keyboards). While the core ideas behind gridWord are well-formed, and may be viewed as a new variation of old (text-based) ideas of building passwords from multiple words, many aspects including recommended parameterization and configuration details, preferred platforms, and primary targets of application remain to be explored in detail. We nonetheless solicit early feedback from the community for several reasons, related to our second agenda item: we use gridWord as a concrete target to focus exploration of a number of questions involving (a) the evaluation of usable security proposals, (b) the often conflicting objectives of various parties involved in the publication of academic research, and (c) the relationship between the design and publication of new security mechanisms and the pursuit of scientific knowledge through experimentation. We believe the second agenda item is important to pursue, given our observation that experts in usability and security have widely varying expectations, and lack consensus on what is important for the evaluation, comparison, and publication of usable security proposals.