Advertisement

Effects of Password Permutation on Subjective Usability Across Platforms

  • Kristen K. GreeneEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)

Abstract

The current work examines the effects of password permutation on subjective usability across platforms, using system-generated passwords that adhere to the password requirements found in higher-security enterprise environments. This research builds upon a series of studies at the National Institute of Standards and Technology by testing a previously proposed idea of password permutation: grouping like character classes together in order to improve password usability. Password permutation improves mobile device entry by reducing the number of keystrokes required to enter numbers and symbols. Across platforms (smartphone, tablet, and desktop computer) participants rated the longer (length 14) permuted passwords as easier to type than the shorter (length 10) non-permuted passwords. This demonstrates that the composition and structure of a password are important; people are sensitive to factors beyond simple password length. By combining qualitative and quantitative research, we will ultimately arrive at a more complete understanding of how password construction impacts usability.

Keywords

Passwords Authentication Mobile text entry Typing Touchscreens Smartphones Tablets Password permutation Chunking Usable security 

Notes

Acknowledgements

The author gratefully acknowledges Brian Stanton at NIST.

References

  1. 1.
    Honan, M.: Kill the password: why a string of characters can’t protect us anymore. Wired (2012)Google Scholar
  2. 2.
    National Strategy for Trusted Identities in Cyberspace: Enhancing Online choice, Efficiency, Security, and Privacy. http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf. Accessed on 2011
  3. 3.
    United States Department of Homeland Security: United States Computer Emergency Readiness Team (US-CERT). Security tip (ST04-002): Choosing and protecting passwords. http://www.us-cert.gov/cas/tips/ST04-002.htm. Accessed on 2009
  4. 4.
    Steves, M., Killourhy, K., Theofanos, M.F.: Clear, unambiguous password policies: an oxymoron? In: Rau, P. (ed.) CCD 2014. LNCS, vol. 8528, pp. 240–251. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Steves, M., Theofanos, M.F.: Password policy interpretation. In: Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, in the 17th International Conference on Human-Computer Interaction (2015, to appear)Google Scholar
  6. 6.
    Choong, Y.-Y.: A cognitive-behavioral framework of user password management lifecycle. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 127–137. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Greene, K.K., Kelsey, J., Franklin, J.M.: Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. National Institute of Standards and Technology Interagency Report (NISTIR) 8040 (2015)Google Scholar
  8. 8.
    Ploehn, C., Greene, K.K.: The authentication equation: visualizing the convergence of security and usability of system-generated passwords. In: Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, in the 17th International Conference on Human-Computer Interaction (2015, to appear)Google Scholar
  9. 9.
    Lee, P., Choong, Y.: Human generated passwords – the impacts of password requirements and presentation styles. In: Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, in the 17th International Conference on Human-Computer Interaction (2015, to appear)Google Scholar
  10. 10.
    Stanton, B.C., Greene, K.K.: Character strings, memory and passwords: what a recall study can tell us. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 195–206. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Greene, K.K., Gallagher, M.A., Stanton, B.C., Lee, P.Y.: I can’t type that! p@$$w0rd entry on mobile devices. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 160–171. Springer, Heidelberg (2014)Google Scholar
  12. 12.
    Jakobsson, M.: Mobile Authentication Problems and Solutions. Springer Briefs in Computer Science. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Gallagher, M.A.: Modeling password entry on mobile devices: please check your password and try again. Doctoral Dissertation, Rice University, Houston, TX (2015)Google Scholar
  14. 14.
    Choong, Y., Theofanos, M., Liu, H.K.: United States Federal Employees’ Password Management Behaviors – a Department of Commerce Case Study. National Institute of Standards and Technology Interagency Report (NISTIR) 7991 (2014)Google Scholar
  15. 15.
    Shelton, D.C.: Reasons for non-compliance with mandatory information assurance policies by a trained population. Doctoral Dissertation, Capitol Technology University (2014)Google Scholar
  16. 16.
    Choong, Y., Theofanos, M. F.: What 4,500 + people can tell you – employees’ attitudes toward organizational password policy do matter. In: Proceedings of the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, in the 17th International Conference on Human-Computer Interaction (2015, to appear)Google Scholar
  17. 17.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)Google Scholar
  18. 18.
    Unsworth, N., Engle, R.W.: Individual Differences in Working Memory Capacity and Retrieval: A Cue-Dependent Search Approach. The Foundations of Remembering: Essays in Honor of Henry L. Roedgier III, pp. 241–258. Psychology Press, New York (2007)Google Scholar
  19. 19.
    Forget, A., Biddle, R.: Memorability of persuasive passwords. In: CHI 2008 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764 (2008)Google Scholar
  20. 20.
    Vu, K., Cook, J., Bhargav-Spantzel, A., Proctor, R.W.: Short- and long-term retention of passwords generated by first-letter and entire-word mnemonic methods. In: Proceedings of the 5th Annual Security Conference, Las Vegas, NV (2006)Google Scholar
  21. 21.
    Vu, K., Proctor, R., Bhargav-Spantzel, A., Tai, B., Cook, J., Schultz, E.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. –Comput. Stud. 65, 744–757 (2006)CrossRefGoogle Scholar
  22. 22.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRefGoogle Scholar
  23. 23.
    Salthouse, T.: Perceptual, cognitive, and motoric aspects of transcription typing. Psychol. Bull. 99(3), 303–319 (1986)CrossRefGoogle Scholar
  24. 24.
    Coover, J.E.: A method of teaching typewriting based upon a psychological analysis of expert typing. Nat. Educ. Assoc. 61, 561–567 (1923)Google Scholar
  25. 25.
    Gentner, D.: Skilled finger movements in typing. Center for Information Processing. University of California, San Diego. CHIP Report 104 (1981)Google Scholar
  26. 26.
    Salthouse, T.: Effects of age and skill in typing. J. Exp. Psychol. 113(3), 345–371 (1984)CrossRefGoogle Scholar
  27. 27.
    Greene, K.K., Franklin, J., Kelsey, J.: Tap on, tap off: onscreen keyboards and mobile password entry. In: Proceedings of ShmooCon 2015 (2015)Google Scholar
  28. 28.
    MacKenzie, I.S., Soukoreff, R.W.: Phrase sets for evaluating text entry techniques. In: Extended Abstracts of the ACM Conference on Human Factors in Computing Systems - CHI 2003, pp. 754–755. ACM, New York (2003)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations