Abstract
This paper presents the findings of a principled, empirical study of password security. Security policies direct users to select long passwords having arcane collections of case, numerals, and special characters, and no whole words. Then users are told to change passwords often, never to reuse them, and not to record them: Requirement 1: Passwords must be impossible to remember. Requirement 2: Memorize all passwords. When faced with an inconvenient request for a new password, many people reflexively reuse existing passwords, or concoct minimally adequate, easily memorable passwords on-the-fly. In this study, volunteers access the project website to complete a demographic survey, and are asked to create passwords at various points. Later in the encounter, they are asked to reiterate these passwords. Password strength (as determined by an open-source application described in the paper) is correlated with password memorability (ergonomic utility) within the context of the collected demographic factors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Helkala, K., Bakås, T.H.: National password security survey: results. In: Proceedings of the European Information Security Multi-Conference (EISMC 2013), pp. 23–33 (2013)
CS Identity.: CONSUMER SURVEY: PASSWORD HABITS A study of password habits among American consumers. Retrieved from CSID.com. https://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf (2012)
Yan, J., Blackwell, A., Anderson, R., Gran, A.: The memorability and security of passwords—some empirical results. Retrieved from University of Cambridge Computer Laboratory Technical Reports. https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf (2000)
Furnell, S., Papadopoulos, I., Dowland, P.: A long‐term trial of alternative user authentication technologies. Inf. Manag. Comput. Secur. 12(2), 178–190. Retrieved from http://doi.org/10.1108/09685220410530816 (2004)
Hunt, T.: A brief Sony password analysis. Retrieved from Troy Hunt; Observations, musings and conjecture about the world of software and technology. http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html (2011)
SplashData.: Worst passwords. Retrieved from SplashData. http://splashdata.com/splashid/worst-passwords/ (2015)
Pilar, D., Jaeger, A., Gomes, C., Stein, L.: Passwords usage and human memory limitations: a survey across age and educational background. PLoS ONE 7(12), 1–7. Retrieved from http://doi.org/10.1371/journal.pone.0051067 (2012)
Stantona, J.M., Stama, K.R., Mastrangelo, P., Joiton, J.: Analysis of end user security behaviors. Comput. Secur. 24(2), 124–133. Retrieved from http://doi.org/10.1016/j.cose.2004.07.001 (2005)
Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Baur, L., Christin, N., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM. Retrieved from http://dl.acm.org/citation.cfm?id=1979321 (2011)
Lazar, L., Tikolsky, O., Zviran, C.G.: Personalized cognitive passwords: an exploratory assessment. Inf. Manag. Comput. Secur. 19(1), 25–41. Retrieved from http://dx.doi.org/10.1108/09685221111115845 (2011)
Adams, A., Sasse, M.A.: Users are not the enemy: why users compromise computer security mechanisms and how to take remedial measures. Commun. ACM 42(12), 40–46. Retrieved from http://simson.net/ref/1999/UsersAreNotTheEnemy.pdf (1999)
Parsons, K., McCormac, A., Butavicius, M., Ferguson, L.: Human Factors and Information Security: Individual, Culture and Security Environment. Command, Control, Communications and Intelligence Division DSTO Defence Science and Technology Organisation, Edinburgh South Australia. Retrieved from http://www.dtic.mil/get-tr-doc/pdf?AD=ADA535944 (2010)
Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM, Pittsburgh. doi:10.1145/1143120.1143129 (2006)
Zviran, M., Haga, W.J.: Cognitive passwords: the key to easy access control. Comput. Secur. 9(8), 723–736 (1990). doi:10.1016/0167-4048(90)90115-A
SC Magazine.: Passwords: The Omnipresent Risk. Retrieved from Secureauth.com. https://www.secureauth.com/SecureAuth/media/Resources/AnalystReports/SecureAuth_MarketFocus-Report_6-19-15.pdf?ext=.pdf (2015)
Acknowledgments
The Sirius 16A Team acknowledges the support of Webster University, Space Coast Region; and its Melbourne, Florida Campus Director, Dr. Robert Cox.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Hancock, M. et al. (2016). Multi-cultural Empirical Study of Password Strength Versus Ergonomic Utility. In: Nicholson, D. (eds) Advances in Human Factors in Cybersecurity. Advances in Intelligent Systems and Computing, vol 501. Springer, Cham. https://doi.org/10.1007/978-3-319-41932-9_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-41932-9_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-41931-2
Online ISBN: 978-3-319-41932-9
eBook Packages: EngineeringEngineering (R0)