A Framework for Creating Secure and Memorable Passwords

Despite their pitfalls, passwords remain ubiquitous. Users are encouraged to make passwords that are easy to remember and hard to guess, but as the number of information systems (IS) accounts per user proliferates, this is easier said than done. We tackle the competing goals of security and memorability, applying design science to create a framework for producing personalized algorithms which users may then use to create passwords that are both secure and memorable.

[1]  Elizabeth Stobert,et al.  Memory retrieval and graphical passwords , 2013, SOUPS.

[2]  Alain Forget,et al.  Choose Your Own Authentication , 2015, NSPW '15.

[3]  Michael F. Bunting,et al.  Proactive interference and item similarity in working memory. , 2006, Journal of experimental psychology. Learning, memory, and cognition.

[4]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[5]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[6]  Kasper Bonne Rasmussen,et al.  On the Security of Password Manager Database Formats , 2012, ESORICS.

[7]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[8]  T. Gog,et al.  Development of an instrument for measuring different types of cognitive load , 2013, Behavior Research Methods.

[9]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[10]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[11]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[12]  Xin Luo,et al.  Improving multiple-password recall: an empirical study , 2009, Eur. J. Inf. Syst..

[13]  Jeremy Clark,et al.  Tapas: design, implementation, and usability evaluation of a password manager , 2012, ACSAC '12.

[14]  L. Jean Camp,et al.  CPasswords: Leveraging Episodic Memory and Human-Centered Design for Better Authentication , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[15]  Siti Nurma Hanim Hadie,et al.  Assessing the validity of the cognitive load scale in a problem-based learning setting , 2016 .

[16]  Tanya J. McGill,et al.  Improving Compliance with Password Guidelines: How User Perceptions of Passwords and Security Threats Affect Compliance with Guidelines , 2014, 2014 47th Hawaii International Conference on System Sciences.

[17]  Elizabeth Stobert,et al.  A Password Manager that Doesn't Remember Passwords , 2014, NSPW '14.

[18]  A. Paivio,et al.  Dual coding theory and education , 1991 .

[19]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[20]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[21]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[22]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[24]  Ninghui Li,et al.  An Empirical Study of Mnemonic Sentence-based Password Generation Strategies , 2016, CCS.