Select Language

Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

Analysis of human-computable hash functions for password generation, leveraging cognitive science and cryptography to create secure, memorable passwords without external tools.
computationalcoin.com | PDF Size: 0.9 MB
Rating: 4.5/5
Your Rating
You have already rated this document
PDF Document Cover - Trenchcoat: Human-Computable Hashing Algorithms for Password Generation
View PDF Document Download PDF Translate PDF
Home » Documentation » Trenchcoat: Human-Computable Hashing Algorithms for Password Generation

Table of Contents

1. Introduction

The modern digital landscape requires individuals to manage an overwhelming number of online accounts, each protected by a password. The cognitive burden of creating and remembering unique, strong passwords leads to insecure practices like password reuse and simple variants. This paper introduces "Trenchcoat," a framework for human-computable hashing algorithms designed to generate secure, unique passwords for each site using only a single, memorable master secret and mental computation.

2. The Problem with Current Password Practices

Users are caught between security mandates (complexity rules, frequent changes) and cognitive limitations. This results in:

  • Password Reuse: Over 50% of passwords are reused across multiple accounts.
  • Weak Construction: Reliance on predictable patterns, dictionary words, and personal information.
  • Tool Reliance & Risk: Password managers, while helpful, introduce single points of failure and have been subject to critical vulnerabilities.
  • Accessibility Gap: Many solutions are not designed for neurodiverse or differently-abled users.

Key Statistics

90-130: Average online accounts per user.

3 × 1011: Estimated passwords in use.

>50%: Rate of password reuse among individuals.

3. The Trenchcoat Framework

Trenchcoat reimagines password generation as a human-executable cryptographic process.

3.1. Core Concept: Human-Computable Hash Functions

The core idea is a function $F_R(s, w) \rightarrow y$. It takes a user's master secret (s) and a website/account identifier (w) to produce a unique password (y). The critical parameter $R$ represents the user's unique cognitive configuration.

3.2. Leveraging Associative and Implicit Memory (R)

The framework exploits individual-specific cognitive traits ($R$), such as spatial memory or personal associative networks. This makes the function akin to a "Cognitive Physically Unclonable Function (C-PUF)". An adversary cannot efficiently compute or verify $F_R$ without knowledge of the user's internal $R$, providing a layer of security analogous to hardware PUFs used in device authentication [37].

4. Proposed Algorithms & Technical Details

4.1. Algorithm Categories

The paper proposes several algorithm types based on primitive operations:

  • Arithmetic-based: Using modular addition, digit manipulation on master secret and website name.
  • Spatial/Navigation-based: Mapping characters to points on a mental grid or path.
  • Lexical/Search-based: Using personal mental dictionaries or story associations.

All are designed for low cognitive load and accessibility.

4.2. Mathematical Formulation

A simplified arithmetic-based example: Let $s$ be a numeric master secret (e.g., derived from a memorable date). Let $H(w)$ be a simple hash (e.g., sum of character codes mod 10) of the website name. A password digit $y_i$ could be generated as:
$y_i = (s_i + H(w)_i + c_i) \mod 10$
where $c_i$ is a carry from the previous operation or a user-specific permutation step defined by $R$. The full password is the concatenation of $y_i$.

5. Security Analysis & Entropy Evaluation

Traditional cryptanalysis is difficult to apply directly. The paper uses entropy-based metrics:

  • Effective Key Space: Estimating the search space for an attacker guessing $s$ and $R$.
  • Resistance to Known Attacks: Analysis against dictionary attacks, phishing (the generated password is site-specific), and observation attacks (shoulder surfing).
  • Uniqueness of R: The security heavily relies on the unpredictability and individuality of the cognitive parameter $R$.

The conclusion is that while the absolute bit strength may be lower than algorithmic hashes, the integration of the human element ($R$) and the requirement for the attacker to model it creates a significant practical barrier.

6. Experimental Results & User Survey

The study included a survey of 134 individuals, each testing two proposed schemes, and a review of password policies on 400 websites.

Key Findings:

  • Usability: Participants could reliably generate passwords after a short training period. Spatial and story-based methods showed high recall rates.
  • Acceptance: Users preferred methods that felt "personal" or "story-like" over purely arithmetic ones.
  • Policy Analysis: Website password requirements are highly inconsistent, complicating the design of a universal generation function.

Chart Insight (Conceptual): A hypothetical bar chart would show "Password Recall Accuracy" on the Y-axis versus "Algorithm Type" on the X-axis. "Spatial/Narrative" algorithms would likely show a significantly higher accuracy bar (~90%) compared to "Pure Arithmetic" algorithms (~70%), demonstrating the advantage of leveraging human cognitive strengths.

7. Analysis Framework & Case Example

Framework for Evaluating a Human-Computable Hash Scheme:

  1. Input Definition: Clearly define the format of $s$ (e.g., a 6-digit number, a phrase) and $w$ (e.g., full domain name, a user-chosen tag).
  2. Operation Mapping: Define the sequence of mental operations (e.g., "take the 3rd and 5th letter of w, convert to numbers, add to the 2nd digit of s...").
  3. R Integration: Specify how $R$ is incorporated (e.g., "use your childhood phone number's area code to seed a letter-shift pattern").
  4. Output Formatting: Describe how to meet common password rules (e.g., "if the third output digit is even, capitalize the first letter of the website name and append it").

Case Example (No Code): Alice chooses her master secret $s$ as the digits "1984". Her $R$ involves always thinking of the alphabet in reverse order (Z=1, Y=2...). For website "bank.com", she takes the first and last letter (B, K), maps them via her reverse alphabet (B->25, K->16), adds them to her secret digits (25+1=26, 16+9=25), applies mod 26, and maps back to letters (26->A, 25->B). She then applies a personal rule ($R$) to insert a symbol after a vowel. Her final password for bank.com might be "A!B".

8. Future Applications & Research Directions

  • Hybrid Systems: Combining a human-computed core with a minimal, secure device (e.g., a smart ring) for a final transformation step, enhancing entropy.
  • Standardization & Accessibility: Developing a suite of certified algorithms for different cognitive profiles and abilities, potentially integrated into operating system login frameworks.
  • Continuous Authentication: Using subtle variations of the core function for generating one-time codes or behavioral biometric seeds.
  • Post-Quantum Considerations: Exploring if human-computable functions based on lattice problems or other PQ-hard problems could be designed, as suggested by research into "proofs of human-work".

9. References

  1. [3] Security Analysis of Popular Password Managers. USENIX Security.
  2. [4] B. Ross, et al. "Stronger Password Authentication Using Browser Extensions." USENIX Security 2005.
  3. [10] Verizon Data Breach Investigations Report. 2023.
  4. [15] "Zero-Day Vulnerabilities in Password Managers." Cybersecurity & Infrastructure Security Agency (CISA).
  5. [16] Google / Harris Poll. "Online Security Survey." 2022.
  6. [17] Digital Identity Trends. Dashlane. 2023.
  7. [30] "World's Most Common Passwords." NordPass. 2023.
  8. [34] S. Gaw and E. W. Felten. "Password Management Strategies for Online Accounts." SOUPS 2006.
  9. [37] B. Gassend, et al. "Silicon Physical Random Functions." CCS 2002. (Seminal PUF paper)
  10. [43] FTC. "Consumer Sentinel Network Data Book." 2022.
  11. NIST Special Publication 800-63B: Digital Identity Guidelines.
  12. Isola, P., et al. "Image-to-Image Translation with Conditional Adversarial Networks." CVPR 2017. (For analogy on learning complex mappings).

10. Expert Analysis & Critical Review

Core Insight

Trenchcoat isn't just another password scheme; it's a radical pivot from storage-based to computation-based personal security. Its core insight is that the human brain, with its unique, unclonable configuration ($R$), can be the most secure "hardware wallet" for secret derivation—if we design the right software. This directly challenges the prevailing industry dogma that users are the weakest link and must be abstracted away from the security process via password managers. Instead, it argues for empowering the user as a cryptographic coprocessor.

Logical Flow

The paper's logic is compelling but reveals its own tension. It starts from the undeniable failure of current practices (reuse, weak passwords). It correctly identifies the cognitive load as the root cause. Its solution—human-computable functions—is elegant in theory: reduce the memorization burden to one secret, offload uniqueness to computation. However, the flow stumbles when it must confront adversarial evaluation. The authors admit traditional cryptanalysis falls short, retreating to entropy estimates. This isn't a minor flaw; it's the central challenge. The security of the entire system rests on the intractability of modeling an individual's $R$, a claim more grounded in cognitive science than in provable cryptography. It's reminiscent of early arguments for biometrics—uniqueness does not automatically equate to robust, analyzable security under attack.

Strengths & Flaws

Strengths: The focus on accessibility and neurodiversity is a major, often overlooked, contribution. By designing for primitive operations, it potentially includes users excluded by text-heavy or complex interfaces. The concept of a Cognitive PUF (C-PUF) is intellectually fertile, offering a new lens for human-factor authentication. The user study, while moderate in size, provides crucial real-world validation missing from many purely theoretical proposals.

Flaws: The "black box" of R is a double-edged sword. If $R$ is too simple or predictable (e.g., "I always use my birthday"), security collapses. If it's too complex, recall fails. There's no guidance for users to choose a "strong" $R$. Policy incompatibility is a practical killer. If a website demands a 16-character password with two symbols, can a user's mental algorithm reliably adapt? The paper glosses over this. Finally, error tolerance is nil. A mistake in one mental step likely yields an irrecoverable wrong password, unlike a manager's copy-paste.

Actionable Insights

For Security Architects: Don't dismiss this as academic. Pilot a Trenchcoat-inspired method for internal test accounts where password managers are banned. Use it to stress-test the concept of "cognitive secret" strength. For UX Researchers: The algorithms here are a goldmine for studying how different cognitive styles approach problem-solving. Collaborate to build a taxonomy of $R$ types. For Standards Bodies (NIST, FIDO): Watch this space. The next iteration of authentication guidelines must consider hybrid models. Initiate a working group on "Human-Assisted Cryptographic Primitives" to establish evaluation frameworks, moving beyond entropy to robust threat models that include social engineering and partial $R$ leakage. The ultimate takeaway: Trenchcoat may not be the final answer, but it brilliantly reframes the question. The future of personal authentication lies not in removing the human, but in redesigning the interface between cryptography and cognition.