Contextualizing Mnemonic Phrase Passwords
Our society depends on password-based authentication methods for accessing valuable information. However, the use of weak passwords is placing us at risk. Cyber security systems encourage users to employ strong passwords often by increasing requirements. Unfortunately, using a strong password requires more cognitive effort. This increase in effort pushes users to find workarounds that directly harm security. The paradox between security and usability has often resulted in simply blaming users rather than seeking a Human-Centered Design perspective. We introduce a strategy for developing strong passwords that embed contextual cues within mnemonic phrase passwords. Using this strategy participants were able to create strong passwords and better remember them compared with a traditional mnemonic strategy.
KeywordsUsable security Authentication Human memory Human-centered-design
This research was supported by the Psychology of Design laboratory. We thank V.S. for creating the password validation application and Carnegie Mellon University for the use of the PGS.
- 2.Vidyaraman, S., Chandrasekaran, M., Upadhyaya, S.: Position: the user is the enemy. In: Proceedings of the 2007 Workshop on New Security Paradigms, 75–80. ACM, New York, NY, USA (2008)Google Scholar
- 4.Protalinski, E, Zero Day, ZDNet Security Newsletter: The top 10 passwords from the Yahoo hack: Is yours one of them? (2012). http://www.zdnet.com/article/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them/
- 5.Schneier, B.: Schneier on security: real-world passwords (2006). https://www.schneier.com/blog/archives/2006/12/realworld_passw.html
- 6.Quinion, M.: World wide words: how many words? (2000). http://wordwidewords.org/articles/howmany.html
- 7.Schneier, B.: Myspace passwords aren’t so dumb (2006). http://archive.wired.com/politics/security/commentary/securitymatters/2006/12/72300
- 12.Cowan, N.: The magical number 4 in short-term memory: a reconsideration of mental storage capacity. Behav. Brain Sci. 24(01), 154–176 (2000)Google Scholar
- 14.Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 3–25 (2000)Google Scholar
- 16.Forget, A., Biddle, R.: Memorability of persuasive passwords. In CHI ’08 Extended Abstracts on Human Factors in Computing Systems, pp. 3759–3764. ACM, New York, NY, USA (2008)Google Scholar
- 17.Ur, B., Segreti, S. M., Bauer, L., Christin, N., Cranor, L. F., Komanduri, S., Shay, R.: Measuring real-world accuracies and biases in modeling password guessability. In: Proceedings of the USENIX Security (2015)Google Scholar
- 18.Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM, New York, NY, USA (2006)Google Scholar