A Cognitive-Behavioral Framework of User Password Management Lifecycle

  • Yee-Yin Choong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Passwords are the most commonly used mechanism in controlling users’ access to information systems. Little research has been established on the entire user password management lifecycle from the start of generating a password, maintaining the password, using the password to authenticate, then to the end of the lifespan of the password when it needs to be changed. We develop a cognitive-behavioral framework depicting the cognitive activities that users perform within each stage, and how the stages interact with the human information processor, i.e. memory and attention resources. Individual factors are also represented in the framework such as attitudes, motivations, and emotions that can affect users’ behaviors during the password management lifecycle. The paper discusses cognitive and behavioral activities throughout the lifecycle as well as the associated economics. We show the importance of a holistic approach in understanding users’ password behaviors and the framework provides guidance on future research directions.


password password management lifecycle cyber security password policy usability cognitive-behavioral framework economics of passwords 


  1. 1.
    Herley, C., van Oorschot, P.: A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy 10(1), 28–36 (2012)CrossRefGoogle Scholar
  2. 2.
    Florêncio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  3. 3.
    Hoonakker, P., Bornoe, N., Carayon, P.: Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 53(6), pp. 459–463. SAGE Publications (2009)Google Scholar
  4. 4.
    Choong, Y.-Y.T.M., Liu, H.-K.: A Large-Scale Survey of Employees’ Password Behaviors. Manuscript submitted for publication (2014)Google Scholar
  5. 5.
    Goverance, I.T.: Boardroom Cyber Watch 2013 – Report (2013),
  6. 6.
    Haskins, W.: Network Security: Gullible Users Are the Weakest Link. TechNewsWorld (November 29, 2007), (retrieved)
  7. 7.
    Malenkovich, S.: 10 Worst Password Ideas (As Seen In the Adobe Hack). Kaspersky Lab Daily (November 21, 2013), (retrieved)
  8. 8.
    MeriTalk.: Cyber Security Experience: Security Pros from Mars, Users from Mercury (2013), (retrieved)
  9. 9.
    Sasse, M.A., Brostoff, B., Weirich, D.: Transforming the ‘weakest link’ — a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–131 (2001)CrossRefGoogle Scholar
  10. 10.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Applied Cognitive Psychology 18(6), 641–651 (2004)CrossRefGoogle Scholar
  11. 11.
    Campbell, J., Ma, W., Kleeman, D.: Impact of restrictive composition policy on user password choices. Behaviour & Information Technology 30(3), 379–388 (2011)CrossRefGoogle Scholar
  12. 12.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar
  13. 13.
    Florêncio, D., Herley, C., Coskun, B.: Do Strong Web Passwords Accomplish Anything? In: Proceedings of the 2nd USENIX Workshop on Hot Topics in Security, pp. 1–6 (2007)Google Scholar
  14. 14.
    Herley, C.: So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In: NSPW 2009 Proceedings of the 2009 Workshop on New Security Paradigms Workshop, pp. 133–144 (2009)Google Scholar
  15. 15.
    Inglesant, P., Sasse, M.A.: The True Cost of Unusable Password Policies: Password Use in the Wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392 (2010)Google Scholar
  16. 16.
    Flower, L.H., Hayes, J.R.: A Cognitive Process Theory of Writing. College Composition and Communication 32(4), 365–387 (1981)CrossRefGoogle Scholar
  17. 17.
    Flower, L.H., Hayes, J.R.: Problem-solving strategies and the writing process. College English 39(4), 449–461 (1977)CrossRefGoogle Scholar
  18. 18.
    Imerva Application Defense Center (ADC).: Consumer Password Worst Practices. Imperva White Paper (2009), (retrieved)
  19. 19.
    Zhang, Y., Monrose, F., Reiter, M.K.: The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 176–186 (2010)Google Scholar
  20. 20.
    Proctor, R.W., Lien, M.-C., Vu, K.-P.L., Schultz, E.E., Salvendy, G.: Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 34(2), 163–169 (2002)CrossRefGoogle Scholar
  21. 21.
    Vu, K.-P.L., Bhargav, A., Proctor, R.W.: Imposing Password Restrictions for Multiple Accounts: Impact on Generation and Recall of Passwords. In: Proceed-ings of the Human Factors and Ergonomics Society Annual Meeting, vol. 47(11), pp. 1331–1335. SAGE Publications (2003)Google Scholar
  22. 22.
    Pratt, M.K.: 5 Annonying Help Desk Calls - And How to Banish Them. PCWorld (April 3, 2012), (retrieved)
  23. 23.
    Abel, S.: Industry Average Help Desk Support Costs. The Content Wrangler (April 28, 2011), (retrieved)
  24. 24.
    Steves, M., Chisnell, D., Sasse, M.A., Krol, K., Theofanos, M., Wald, H.: Report: Authentication Diary Study. NISTIR 7983. National Institute of Standards and Technology, Gaithersburg, MD (2014)Google Scholar
  25. 25.
    U.S. Bureau of Economic Analysis: National Income and Product Accounts, Tables 6.6D, Wages and Salaries Per Full-Time Equivalent Employee by Industry (August 7, 2013), (retrieved)
  26. 26.
    Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: A week to a view. Interacting with Computers 23(3), 256–267 (2011)CrossRefGoogle Scholar
  27. 27.
    Hayashi, E., Hong, J.I.: A Diary Study of Password Usage in Daily Life. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2627–2630. ACM (2011)Google Scholar
  28. 28.
    Keith, M., Shao, B., Steinbart, P.: A Behavioral Analysis of Passphrase Design and Effectiveness. Journal of the Association for Information Systems 10(2), 63–89 (2009)Google Scholar
  29. 29.
    Stanton, B., Greene, K.K.: Character Strings, Memory and Passwords: What a Recall Study Can Tell Us. In: Proceedings of the 16th International Conference on Human-Computer Interaction (in press, 2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Yee-Yin Choong
    • 1
  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations