Isn't that Fantabulous: Security, Linguistic and Usability Challenges of Pronounceable Tokens

Over the past few decades, passwords as a means of user authentication have been consistently criticized by users and security analysts alike. However, password-based systems are ubiquitous and entrenched in modern society-users understand how to use them, system administrators are intimately familiar with their operation, and many robust frameworks exist to make deploying passwords simple. Unfortunately, much of the formal research on user authentication has focused on attempting to provide alternatives (e.g., biometrics) to password-based mechanisms (or belated analyses of users' password choices), forcing administrators to use ad-hoc methods in attempts to improve security. This practice has lead to user frustration and inflated estimates of system security. We challenge common wisdom and re-examine whether pronounceable authentication strings might indeed offer a more reasonable alternative to traditional passwords. We argue that pronounceable authentication strings can lead to both improved system security and a decreased burden on users. To re-examine this potential, we explore questions related to how one might develop techniques for rating the pronounceability of word-like strings, and in doing so, enable one to quantify pronunciation difficulty. Armed with such an understanding, we posit new directions for generating usable passwords which are pronounceable and, we hope, memorable, hint-able and resistant to attack.