The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor

  • Kirsi Helkala
  • Nils Kalstad Svendsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7161)


A well-established truth regarding password authentication is that easily remembered passwords are weak. This study demonstrates that this is not necessarily true. Users can be encouraged to design strong passwords, using elements associated with a given service, together with a personal factor. Regulatory bodies and information security experts are often asked the question: “what is a good password?” We claim that this is not the right question; it should be: “how can one design multiple passwords that are strong and memorable at the same time?” This paper presents guidelines for password design that combine a Personal Factor with an element associated to the login site. Analysis of the passwords generated by a group of volunteers and their ability to recall multiple passwords at later moments in time show that one can actually achieve good memorability of strong and unique passwords.


Personal Factor Authentication Scheme Authentication Mechanism Association Element Primary Association 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42, 40–46 (1999)CrossRefGoogle Scholar
  2. 2.
    Averell, L., Heathcote, A.: The Form of the Forgetting Curve and the fate of Memories. Journal of Mathematical Psychology 55, 25–35 (2010)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the Ninth Workshop on the Economics of Information Security, Boston, MA, USA (June 2010)Google Scholar
  4. 4.
    Dhamija, R., Perrig, A.: Déjà Vu: A User Study Using Images for Authentication. In: Proceedings of 9th USENIX Security Symposium (2000)Google Scholar
  5. 5.
    Gehringer, E.F.: Choosing Passwords: Security and Human Factors. In: Proceedings of International Symposium on Technology and Society, pp. 369–373 (2002)Google Scholar
  6. 6.
    Grawemeyer, B., Johnson, H.: Using and Managing Multiple Passwords: A Week to a View. Interacting with Computers 23(3), 256–267 (2011)CrossRefGoogle Scholar
  7. 7.
    Halderman, J.A., Waters, B., Felten, E.W.: A Convenient Method for Securely Managing Passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479 (2005)Google Scholar
  8. 8.
    Helkala, K.: An Educational Tool for Password Quality Measurements. In: Proceedings of Norwegian Information Security Conference, pp. 69–80. Tapir Akademisk Forlag (2008)Google Scholar
  9. 9.
    Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5) (2011)Google Scholar
  10. 10.
    Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)CrossRefGoogle Scholar
  11. 11.
    Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Communication of the ACM 47, 75–78 (2004)CrossRefGoogle Scholar
  13. 13.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The Design and Analysis of Graphical Passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium, vol. 8, p. 1 (1999)Google Scholar
  14. 14.
    Kuhn, B.T., Garrison, C.: A survey of passwords from 2007 to 2009. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 91–94. ACM, New York (2009)CrossRefGoogle Scholar
  15. 15.
    Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-Based Passwords. In: Proceedings of 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM Press (2006)Google Scholar
  16. 16.
    Li, X.-Y., Teng, S.-H.: Practical Human-Machine Identification over Insecure Channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)MathSciNetzbMATHCrossRefGoogle Scholar
  17. 17.
    Matsumoto, T.: Human-Computer Cryptography: An Attempt. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 68–75 (1996)Google Scholar
  18. 18.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “Weakest Link” - Human/Computer Interaction Approach to Usable and Effective Security. BT Technol. 19, 122–131 (2001)CrossRefGoogle Scholar
  19. 19.
    Stubblefield, A., Simon, D.: Inkblot Authentication. Technical report, Microsoft Research, Microsoft Corporation (2004)Google Scholar
  20. 20.
    Villarrubia, C., Fernandez-Medina, E., Piattini, M.: Quality of Password Management Policy. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 7 (April 2006)Google Scholar
  21. 21.
    Vu, K.-P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.-L.(Belin), Cook, J., Schultz, E.: Improving Password Security and Memorability to Protect Personal and Organizational Information. International Journal of Human-Computer Studies 65, 744–757 (2007)CrossRefGoogle Scholar
  22. 22.
    Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 295–300 (2006)Google Scholar
  23. 23.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar
  24. 24.
    Zviran, M., Haga, W.J.: User authentication by cognitive passwords: an empirical assessment. In: Proceedings of the 5th Jerusalem Conference on Information Technology, pp. 137–144 (1990)Google Scholar
  25. 25.
    Zviran, M., Haga, W.J.: A Comparison of Password Techniques for Multilevel Authentication Mechanisms. Computer Journal 36(3), 227–237 (1993)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kirsi Helkala
    • 1
  • Nils Kalstad Svendsen
    • 1
  1. 1.Gjøvik University CollegeNorway

Personalised recommendations