Character Strings, Memory and Passwords: What a Recall Study Can Tell Us
Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater “entropy,” or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lower-case letters, numerals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities.
Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this experiment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.
Keywordspasswords security character strings memory recall
Unable to display preview. Download preview PDF.
- 1.Baddeley, A.D., Hitch, G.: Working memory. In: Bower, G. (ed.) Recent Advances in Learning and Motivation, vol. 8, pp. 47–90. Academic Press, New York (1974)Google Scholar
- 2.Chiasson, S., Forget, A., Stobert, E., Van Oorschot, P., Biddle, R.: Multiple password interference in text passwords and click-based graphical passwords. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 500–511 (2009)Google Scholar
- 3.Choong, Y., Theofanos, M., Liu, H.: A Large-Scale Survey of Employees’ Password Behaviors. Manuscript submitted for publication (2014) (manuscript in preparation)Google Scholar
- 4.Coover, J.E.: A method of teaching typewriting based upon a psychological analysis of expert typing. National Education Association 61, 561–567 (1923)Google Scholar
- 5.Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007, Banff, Canada. ACM Press (2007)Google Scholar
- 6.Forget, A., Biddle, R.: Memorability of persuasive passwords. In: CHI 2008 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764 (2008)Google Scholar
- 7.Gehringer, E.F.: Choosing passwords: Security and human factors. In: International Symposium on Technology and Society (ISTAS 2002), pp. 369–373 (2002)Google Scholar
- 8.Gentner, D.: Skilled finger movements in typing. Center for Information Processing, University of California, San Diego. CHIP Report 104 (1981)Google Scholar
- 12.United States Department of Commerce, National Institute of Standards and Technology (NIST), Password usage (FIPS PUB 112) (1985), http://www.itl.nist.gov/fipspubs/fip112.htm (retrieved)
- 13.United States Department of Homeland Security, United States Computer Emergency Readiness Team (US-CERT), Security tip (ST04-002): Choosing and protecting passwords (2009), http://www.us-cert.gov/cas/tips/ST04-002.html (retrieved)
- 14.Unsworth, N., Engle, R.W.: The foundations of remembering: Essays in honor of Henry L. Roedgier III, pp. 241–258. Psychology Press, New York (2007)Google Scholar
- 15.Vu, K., Bhargav-Spantzel, A., Proctor, R.: Imposing password restrictions for multiple accounts: Impact on generation and recall of passwords. In: HFES 47th Annual Meeting, pp. 1331–1335 (2003)Google Scholar
- 16.Vu, K., Cook, J., Bhargav-Spantzel, A., Proctor, R.W.: Short- and long-term retention of passwords generated by first-letter and entire-word mnemonic methods. In: Proceedings of the 5th Annual Security Conference, Las Vegas, NV (2006)Google Scholar