Select Language

Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

Analysis of human-computable hash functions for password generation, leveraging associative memory for security without password managers.
computationalcoin.com | PDF Size: 0.9 MB
Rating: 4.5/5
Your Rating
You have already rated this document
PDF Document Cover - Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
View PDF Document Download PDF Translate PDF
Home » Documentation » Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

1. Introduction

The modern digital landscape requires individuals to manage an overwhelming number of online accounts (90-130 on average), leading to insecure password practices like reuse and predictable patterns. Traditional solutions—complex password rules and password managers—often fail due to high cognitive load or security vulnerabilities. This paper introduces Trenchcoat, a novel paradigm of human-computable hash functions designed to generate unique, secure passwords for each site from a single master secret, performed mentally by the user.

2. The Problem with Current Password Practices

Users face contradictory demands: create random, unique passwords for hundreds of sites while remembering them all. This leads to:

  • Password Reuse: Over 50% of passwords are reused across multiple accounts.
  • Predictable Patterns: Use of common words, names, and simple substitutions.
  • Manager Vulnerabilities: Password managers are frequent targets for zero-day exploits.
  • Cognitive Overload: Complex rules are ignored in favor of convenience, compromising security.

The trade-off between memorability and security remains the central unsolved problem in authentication.

3. The Trenchcoat Framework

Trenchcoat proposes shifting the computation from a device to the user's mind, using functions tailored to human cognition.

3.1. Core Concept: Human-Computable Hash Functions

The core function is defined as $F_R(s, w) \rightarrow y$, where:

  • $s$: User's master secret (not necessarily a string).
  • $w$: Website/account identifier (e.g., "google.com").
  • $R$: The user's unique configuration of associative and implicit memory.
  • $y$: The generated password (sub-secret).

The function $F$ is parameterized by $R$, making it unique per individual and difficult for an adversary to replicate or verify.

3.2. Leveraging Associative and Implicit Memory (R)

The key innovation is incorporating $R$—the idiosyncratic structure of a user's memory, including personal associations, spatial recall, and implicit knowledge. This acts as a cognitive Physically Unclonable Function (PUF). An adversary lacking knowledge of $R$ cannot efficiently compute $F_R$, even if $s$ and $w$ are known.

3.3. Function Examples & Primitive Operations

Proposed algorithms require only primitive, accessible operations:

  • Arithmetic: Simple addition, modulo operations on digits derived from $s$ and $w$.
  • Spatial Navigation: Mentally traversing a personal memory palace or grid.
  • Pattern Searching: Finding sequences within a personal mental text or image.

These make the system accessible to neurodiverse and differently-abled individuals.

4. Security Analysis & Methodology

Traditional cryptographic analysis is insufficient. Trenchcoat employs a multi-faceted approach:

4.1. Entropy-Based Evaluation

Security is measured by the effective entropy introduced by the function $F_R$ and the master secret $s$. The goal is to ensure the output space for $y$ is large enough to resist brute-force and dictionary attacks, considering the constraints of human computation.

4.2. Comparison to Traditional Cryptography & PUFs

The system is analogous to a PUF [37], where $R$ is the unclonable "physical" substrate. Unlike digital PUFs, $R$ is a cognitive construct. This provides security through obscurity of process rather than secrecy of algorithm, a controversial but potentially viable model for this specific threat model (remote attackers).

5. Experimental Results & User Study

5.1. Survey Methodology (n=134)

A user study was conducted where 134 participants each tested two candidate Trenchcoat schemes. The study evaluated memorability of the master secret, time to generate passwords, error rates, and subjective usability.

5.2. Performance and Usability Findings

Initial results indicated that users could reliably generate passwords after a short training period. Schemes based on spatial memory showed lower error rates for some users. Cognitive load was reported as significantly lower than managing multiple unique passwords, but higher than simple password reuse.

Chart Insight (Conceptual): A hypothetical bar chart would show "Time to Generate Password" decreasing with practice over 5 trials for Trenchcoat methods, while "Recall Accuracy" remains high (>90%). A comparison line for "Traditional Random Password Recall" would show a steep decline over a 7-day period.

5.3. Website Password Policy Survey (n=400)

A survey of 400 websites revealed inconsistent and often contradictory password policies, reinforcing the user's difficulty in compliance and justifying the need for a unified, user-centric generation method like Trenchcoat.

6. Technical Details & Mathematical Framework

Consider a simple arithmetic-based Trenchcoat function:

  1. Map master secret $s$ and website $w$ to numerical sequences (e.g., using a personal cipher).
  2. Perform a series of predefined, $R$-dependent operations. Example: $y_i = (s_i + w_i + k_i) \mod 10$, where $k_i$ is a digit derived from the $i^{th}$ position of a personal memory trigger (part of $R$).
  3. Concatenate results $y_i$ and apply a final personal rule (e.g., capitalize the letter corresponding to the sum of all digits).

The security relies on the entropy of $s$ and the non-linear, user-specific mixing introduced by $R$.

7. Analysis Framework & Example Case

Case Study: Evaluating a Spatial-Navigation Trenchcoat Function

Framework: Use the NIST SP 800-63B guidelines for memorized secrets as a baseline, but augment with cognitive psychology metrics.

  1. Threat Model: Remote attacker with large breach corpus. Cannot observe user's mental process ($R$).
  2. Entropy Estimation: Calculate Shannon entropy of the output $y$ not from the algorithm alone, but from the attacker's perspective, who must guess $R$. Model $R$ as a selection from a vast space of cognitive patterns.
  3. Usability Testing: Measure success rate after 1 week without practice. Compare to password manager recall and plain password recall.
  4. Resilience Analysis: Test if compromise of $y$ for one site $w_1$ leaks information about $s$ or $R$ that weakens $y$ for another site $w_2$. This is the core cryptographic requirement of the hash function.

No code is required for this analysis; it is a structured evaluation methodology.

8. Critical Analysis & Industry Perspective

Core Insight: Trenchcoat isn't just another password scheme; it's a radical bet that cognitive diversity can be a cryptographic primitive. It attempts to formalize the "personal algorithm" many security-aware users already vaguely employ, turning a weakness (human predictability) into a strength (human uniqueness).

Logical Flow: The logic is compelling but rests on a fragile chain. 1) Users must create a strong, memorable $s$—the oldest unsolved problem. 2) The $R$ configuration must be stable over time and across contexts (stress, fatigue). Neuroscience suggests memory recall is not a deterministic function [like a digital PUF's challenge-response]; it's noisy and context-dependent. 3) The security argument hinges on the infeasibility of modeling $R$. Yet, behavioral analytics and AI are increasingly adept at modeling individual cognitive patterns from digital footprints.

Strengths & Flaws: Its greatest strength is bypassing the password manager attack surface. No database to steal, no master password to phish. Its flaw is non-repudiation and recovery. If a user forgets their $R$ process after a head injury or simply over time, all derived passwords are lost irrevocably—a disaster compared to a password manager's recovery options. Furthermore, as noted in research on cognitive security primitives, the "work factor" for a human is fixed and low, limiting entropy scaling compared to silicon-based cryptography.

Actionable Insights: For enterprise security architects, Trenchcoat is not a ready-to-deploy solution but a crucial research vector. Pilot it in low-risk internal environments to gather longitudinal data on cognitive consistency. For researchers, the priority is to rigorously quantify the entropy of $R$. Collaborate with neuroscientists to design tests that measure the stability and uniqueness of proposed memory-based functions. The field must move beyond simple user surveys to controlled experiments that map the actual attack surface, perhaps using frameworks from adversarial machine learning to simulate an attacker trying to infer $R$.

9. Future Applications & Research Directions

  • Hybrid Systems: Combine a low-entropy Trenchcoat output with a device-held high-entropy key for a multi-factor solution.
  • Cognitive Biometrics: Use the process of executing $F_R$ as a continuous authentication factor, detecting anomalies if the cognitive "signature" changes.
  • Post-Quantum Preparedness: Explore if human-computable functions based on problems hard for AI but easy for humans (certain spatial reasoning tasks) could offer long-term security.
  • Accessibility-First Design: Develop specialized functions for users with specific cognitive or physical profiles, turning accessibility needs into security features.
  • Standardization Efforts: Begin work on a framework for describing and evaluating human-computable functions, similar to NIST's role in traditional cryptography.

10. References

  1. Rooparaghunath, R. H., Harikrishnan, T. S., & Gupta, D. (2023). Trenchcoat: Human-Computable Hashing Algorithms for Password Generation. arXiv preprint arXiv:2310.12706.
  2. Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. IEEE Symposium on Security and Privacy.
  3. NIST. (2017). Digital Identity Guidelines: Authentication and Lifecycle Management (SP 800-63B).
  4. Ur, B., et al. (2016). Design and evaluation of a data-driven password meter. CHI.
  5. Pearman, S., et al. (2017). Let's go in for a closer look: Observing passwords in their natural habitat. CCS.
  6. Garfinkel, S. (2005). Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD Thesis.
  7. M'Raihi, D., et al. (2011). TOTP: Time-Based One-Time Password Algorithm (RFC 6238).
  8. Neuroscience of Memory Review. (2022). Annual Review of Psychology.
  9. Pappas, C., et al. (2022). On the Stability of Behavioral Biometrics. IEEE Transactions on Biometrics, Behavior, and Identity Science.