Forgetting of Passwords: Ecological Theory and Data

It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

[1]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[2]  Ashwini Rao,et al.  Effect of grammar on security of long passwords , 2013, CODASPY '13.

[3]  Jason I. Hong,et al.  A diary study of password usage in daily life , 2011, CHI.

[4]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[5]  Clara E. Bussenius,et al.  Memory : A Contribution to Experimental Psychology , 2017 .

[6]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[7]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[8]  Sonia Chiasson,et al.  Improving user authentication on mobile devices: a touchscreen graphical password , 2013, MobileHCI '13.

[9]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[10]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[11]  Lorrie Faith Cranor,et al.  Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords , 2015, NDSS.

[12]  Elizabeth Stobert,et al.  Memory retrieval and graphical passwords , 2013, SOUPS.

[13]  Lael J. Schooler,et al.  The Adaptive Nature of Memory , 2017 .

[14]  Markus Dürmuth,et al.  On Password Guessing with GPUs and FPGAs , 2014, PASSWORDS.

[15]  Antti Oulasvirta,et al.  Text Entry Method Affects Password Security , 2014, ArXiv.

[16]  Lujo Bauer,et al.  Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat , 2017, CCS.

[17]  Matthew K. Wright,et al.  Hierarchy of users' web passwords: Perceptions, practices and susceptibilities , 2014, Int. J. Hum. Comput. Stud..

[18]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[19]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[20]  Rakesh Bobba,et al.  I'm too Busy to Reset my LinkedIn Password: On the Effectiveness of Password Reset Emails , 2017, CHI.

[21]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[22]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[23]  Darryl Bruce,et al.  The how and why of ecological memory. , 1985 .

[24]  Gordon D. A. Brown,et al.  A temporal ratio model of memory. , 2007, Psychological review.

[25]  Rakesh Bobba,et al.  On the Memorability of System-generated PINs: Can Chunking Help? , 2015, SOUPS.

[26]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[27]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[28]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[29]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[30]  Wendy Moncur,et al.  Pictures at the ATM: exploring the usability of multiple graphical passwords , 2007, CHI.

[31]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[32]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[33]  Karen Renaud,et al.  Why do people adopt, or reject, smartphone password managers? , 2016 .

[34]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[35]  Ron Poet,et al.  Passhint: memorable and secure authentication , 2014, CHI.

[36]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[37]  L. Reder Implicit memory and metacognition , 1996 .

[38]  Peter Hoonakker,et al.  Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users , 2009 .

[39]  John R. Anderson,et al.  Reflections of the Environment in Memory Form of the Memory Functions , 2022 .

[40]  John R. Anderson,et al.  Rules of the Mind , 1993 .

[41]  M. Jakobsson Rethinking Passwords to Adapt to Constrained Keyboards , 2011 .

[42]  Christof Paar,et al.  Statistics on Password Re-use and Adaptive Strength for Financial Accounts , 2014, SCN.

[43]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[44]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[45]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[46]  Glen Nielsen,et al.  Improving usability of passphrase authentication , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[47]  H. Scheffé The relation of control charts to analysis of variance and chi-square tests. , 1947, Journal of the American Statistical Association.

[48]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[49]  Gregory V. Bard,et al.  Spelling-Error Tolerant, Order-Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric , 2007, ACSW.

[50]  J. A. McGeoch Forgetting and the law of disuse. , 1932 .

[51]  F. Craik,et al.  Levels of Processing in Human Memory , 1979 .

[52]  Tadayoshi Kohno,et al.  A comprehensive study of frequency, interference, and training of multiple graphical passwords , 2009, CHI.

[53]  Julie Bunnell,et al.  Cognitive, associative and conventional passwords: Recall and guessing rates , 1997, Comput. Secur..

[54]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[55]  John R. Anderson,et al.  Working Memory: Activation Limitations on Retrieval , 1996, Cognitive Psychology.

[56]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[57]  C. Lebiere,et al.  An integrated theory of list memory. , 1998 .

[58]  J. S. Nairne The myth of the encoding-retrieval match , 2002, Memory.

[59]  J R Anderson,et al.  Practice and retention: a unifying analysis. , 1999, Journal of experimental psychology. Learning, memory, and cognition.

[60]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[61]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[62]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[63]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[64]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[65]  Alain Forget,et al.  Influencing users towards better passwords: persuasive cued click-points , 2008 .

[66]  C. Lebiere,et al.  The Atomic Components of Thought , 1998 .

[67]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .