Character Strings, Memory and Passwords: What a Recall Study Can Tell Us

  • Brian C. Stanton
  • Kristen K. Greene
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)

Abstract

Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater “entropy,” or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lower-case letters, numerals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities.

Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this experiment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.

Keywords

passwords security character strings memory recall 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Baddeley, A.D., Hitch, G.: Working memory. In: Bower, G. (ed.) Recent Advances in Learning and Motivation, vol. 8, pp. 47–90. Academic Press, New York (1974)Google Scholar
  2. 2.
    Chiasson, S., Forget, A., Stobert, E., Van Oorschot, P., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 500–511 (2009)Google Scholar
  3. 3.
    Choong, Y., Theofanos, M., Liu, H.: A Large-Scale Survey of Employees’ Password Behaviors. Manuscript submitted for publication (2014) (manuscript in preparation)Google Scholar
  4. 4.
    Coover, J.E.: A method of teaching typewriting based upon a psychological analysis of expert typing. National Education Association 61, 561–567 (1923)Google Scholar
  5. 5.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007, Banff, Canada. ACM Press (2007)Google Scholar
  6. 6.
    Forget, A., Biddle, R.: Memorability of persuasive passwords. In: CHI 2008 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764 (2008)Google Scholar
  7. 7.
    Gehringer, E.F.: Choosing passwords: Security and human factors. In: International Symposium on Technology and Society (ISTAS 2002), pp. 369–373 (2002)Google Scholar
  8. 8.
    Gentner, D.: Skilled finger movements in typing. Center for Information Processing, University of California, San Diego. CHIP Report 104 (1981)Google Scholar
  9. 9.
    Miller, G.A.: The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review 63(2), 81–97 (1956), doi:10.1037/h0043158CrossRefGoogle Scholar
  10. 10.
    Salthouse, T.: Effects of age and skill in typing. Journal of Experimental Psychology 113(3), 345–371 (1984)CrossRefGoogle Scholar
  11. 11.
    Salthouse, T.: Perceptual, cognitive, and motoric aspects of transcription typing. Psychological Bulletin 99(3), 303–319 (1986)CrossRefGoogle Scholar
  12. 12.
    United States Department of Commerce, National Institute of Standards and Technology (NIST), Password usage (FIPS PUB 112) (1985), http://www.itl.nist.gov/fipspubs/fip112.htm (retrieved)
  13. 13.
    United States Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT), Security tip (ST04-002): Choosing and protecting passwords (2009), http://www.us-cert.gov/cas/tips/ST04-002.html (retrieved)
  14. 14.
    Unsworth, N., Engle, R.W.: The foundations of remembering: Essays in honor of Henry L. Roedgier III, pp. 241–258. Psychology Press, New York (2007)Google Scholar
  15. 15.
    Vu, K., Bhargav-Spantzel, A., Proctor, R.: Imposing password restrictions for multiple accounts: Impact on generation and recall of passwords. In: HFES 47th Annual Meeting, pp. 1331–1335 (2003)Google Scholar
  16. 16.
    Vu, K., Cook, J., Bhargav-Spantzel, A., Proctor, R.W.: Short- and long-term retention of passwords generated by first-letter and entire-word mnemonic methods. In: Proceedings of the 5th Annual Security Conference, Las Vegas, NV (2006)Google Scholar
  17. 17.
    Vu, K., Proctor, R., Bhargav-Spantzel, A., Tai, B., Cook, J., Schultz, E.: Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies 65, 744–757 (2006)CrossRefGoogle Scholar
  18. 18.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security & Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Brian C. Stanton
    • 1
  • Kristen K. Greene
    • 1
  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations