Users are able to remember their phone numbers and postal codes, their student numbers, PIN numbers, and social insurance numbers. Why, then, do users have trouble remembering their passwords? This paper considers the hypothesis that being able to access written notes when needed would eventually help users to memorize the password. Further we hypothesize that writing down passwords encourages the use of passwords that are more complex than their unwritten (memorized) counterparts. We surveyed 31 participants on their opinions and experiences with writing down passwords and tested whether these participants created more complex passwords when they were encouraged to write them down. Finally, we observed whether written passwords had higher login success rates when tested again at least one week later. Results indicate that regardless of the experimental condition, users preferred to memorize their passwords than to take the extra step of referring to their written notes. Additionally, memorized and written passwords were remembered equally well. Finally, we found that users who had difficulty logging in had passwords with significantly higher mean entropy, which confirms the heuristic that complex passwords are harder to remember. We also unexpectedly found that users password habits are so strongly ingrained that they often ignored our instructions about writing or memorizing their password and continued to use their preestablished strategy. This observation is noteworthy for anyone conducting user authentication research.
[1]
J. Yan,et al.
Password memorability and security: empirical results
,
2004,
IEEE Security & Privacy Magazine.
[2]
Alain Forget,et al.
The MVP Web-Based Authentication Framework - (Short Paper)
,
2012,
Financial Cryptography.
[3]
M. Angela Sasse,et al.
The true cost of unusable password policies: password use in the wild
,
2010,
CHI.
[4]
Edward W. Felten,et al.
Password management strategies for online accounts
,
2006,
SOUPS '06.
[5]
M. Angela Sasse,et al.
Users are not the enemy
,
1999,
CACM.
[6]
Cormac Herley,et al.
A large-scale study of web password habits
,
2007,
WWW '07.
[7]
Emmanuel Aroms,et al.
NIST Special Publication 800-63 Electronic Authentication Guideline
,
2012
.
[8]
Hilary Johnson,et al.
Using and managing multiple passwords: A week to a view
,
2011,
Interact. Comput..
[9]
Robert Biddle,et al.
A Usability Study and Critique of Two Password Managers
,
2006,
USENIX Security Symposium.
[10]
Lujo Bauer,et al.
Of passwords and people: measuring the effect of password-composition policies
,
2011,
CHI.