Password Education Based on Guidelines Tailored to Different Password Categories

General password policies do not guarantee that passwords fulfilling the requirement are good enough. The policies have a tendency to be too broad to be useful for all users. Different users have different designing processes based on what kind of passwords they most easily remember. Users are also often left to generate passwords on their own without any training. In our study we used new password creation guidelines when teaching students password secu- rity. We divided passwords into three password categories: Word password, Mixture password and Non-word password. For each category different password generation guidelines were taught to students. Students had access to the password quality measurement tool, which not only measured the strength of the password but also guided students in the generation process. Our goal is to measure the effect of education on the strength of a password and analyze recall rates of the passwords created by the new guidelines. It is shown that education had a positive effect and that pass- words became stronger right after the education. The most important result is that a password structure got changed as the variation of structures increased and different structure types were more evenly distributed. However, after half a year without reminders or education repetition, most of the positive effect was lost. While password structures still differed, they had become less complex as participants had given up using special characters. Recall rates of the passwords generated with new guidelines are good.

[1]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[2]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[3]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[4]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[5]  Einar Snekkenes,et al.  A method for ranking authentication products , 2008, HAISA.

[6]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[7]  Edward F. Gehringer Choosing passwords: security and human factors , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).

[8]  Robin Snyder Ethical hacking and password cracking: a pattern for individualized security exercises , 2006, InfoSecCD '06.

[9]  Chlotia Posey Garrison Encouraging good passwords , 2006, InfoSecCD '06.

[10]  Moshe Zviran,et al.  User authentication by cognitive passwords: an empirical assessment , 1990, Proceedings of the 5th Jerusalem Conference on Information Technology, 1990. 'Next Decade in Information Technology'.

[11]  Einar Snekkenes,et al.  Password Generation and Search Space Reduction , 2009, J. Comput..

[12]  Moshe Zviran,et al.  A Comparison of Password Techniques for Multilevel Authentication Mechanisms , 1990, Comput. J..

[13]  Gurvirender P. Tejay,et al.  Building a better password: The role of cognitive load in information security training , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[14]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[15]  Frank H. Katz The effect of a university information security survey on instruction methods in information security , 2005, InfoSecCD '05.