Abstract
Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater “entropy,” or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lower-case letters, numerals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities.
Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this experiment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.
The rights of this work are transferred to the extent transferable according to title 17 U.S.C. 105.
Chapter PDF
References
Baddeley, A.D., Hitch, G.: Working memory. In: Bower, G. (ed.) Recent Advances in Learning and Motivation, vol. 8, pp. 47–90. Academic Press, New York (1974)
Chiasson, S., Forget, A., Stobert, E., Van Oorschot, P., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 500–511 (2009)
Choong, Y., Theofanos, M., Liu, H.: A Large-Scale Survey of Employees’ Password Behaviors. Manuscript submitted for publication (2014) (manuscript in preparation)
Coover, J.E.: A method of teaching typewriting based upon a psychological analysis of expert typing. National Education Association 61, 561–567 (1923)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007, Banff, Canada. ACM Press (2007)
Forget, A., Biddle, R.: Memorability of persuasive passwords. In: CHI 2008 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764 (2008)
Gehringer, E.F.: Choosing passwords: Security and human factors. In: International Symposium on Technology and Society (ISTAS 2002), pp. 369–373 (2002)
Gentner, D.: Skilled finger movements in typing. Center for Information Processing, University of California, San Diego. CHIP Report 104 (1981)
Miller, G.A.: The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review 63(2), 81–97 (1956), doi:10.1037/h0043158
Salthouse, T.: Effects of age and skill in typing. Journal of Experimental Psychology 113(3), 345–371 (1984)
Salthouse, T.: Perceptual, cognitive, and motoric aspects of transcription typing. Psychological Bulletin 99(3), 303–319 (1986)
United States Department of Commerce, National Institute of Standards and Technology (NIST), Password usage (FIPS PUB 112) (1985), http://www.itl.nist.gov/fipspubs/fip112.htm (retrieved)
United States Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT), Security tip (ST04-002): Choosing and protecting passwords (2009), http://www.us-cert.gov/cas/tips/ST04-002.html (retrieved)
Unsworth, N., Engle, R.W.: The foundations of remembering: Essays in honor of Henry L. Roedgier III, pp. 241–258. Psychology Press, New York (2007)
Vu, K., Bhargav-Spantzel, A., Proctor, R.: Imposing password restrictions for multiple accounts: Impact on generation and recall of passwords. In: HFES 47th Annual Meeting, pp. 1331–1335 (2003)
Vu, K., Cook, J., Bhargav-Spantzel, A., Proctor, R.W.: Short- and long-term retention of passwords generated by first-letter and entire-word mnemonic methods. In: Proceedings of the 5th Annual Security Conference, Las Vegas, NV (2006)
Vu, K., Proctor, R., Bhargav-Spantzel, A., Tai, B., Cook, J., Schultz, E.: Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies 65, 744–757 (2006)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security & Privacy 2(5), 25–31 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Stanton, B.C., Greene, K.K. (2014). Character Strings, Memory and Passwords: What a Recall Study Can Tell Us. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_18
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)