Improving multiple-password recall: an empirical study

As one of the most common authentication methods, passwords help secure information by granting access only to authorized parties. To be effective, passwords should be strong, secret, and memorable. While password strength can be enforced by automated information technology policies, users frequently jeopardize secrecy to improve memorability. The password memorability problem is exacerbated by the number of different passwords a user is required to remember. While short-term memory theories have been applied to individual-password management problems, the relationship between memory and the multiple-password problem has not been examined. This paper treats the multiple-password management crisis as a search and retrieval problem involving human beings’ long-term memory. We propose that interference between different passwords is one of the major challenges to multiple-password recall and that interference alleviation methods can significantly improve multiple-password recall. A lab experiment was conducted to examine the effectiveness of two interference alleviation methods: the list reduction method and the unique identifier method. While both methods improve multiple-password recall performance, the list reduction method leads to statistically significant improvement. The results demonstrate the potential merit of practices targeting multiple-password interference. By introducing long-term memory theory to multiple-password memorability issues, this study presents implications benefiting users and serves as the potential starting point for future research.

[1]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[2]  Wanli Ma,et al.  The Good and Not So Good of Enforcing Password Composition Rules , 2007, Inf. Secur. J. A Glob. Perspect..

[3]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[4]  Jeroen G. W. Raaijmakers,et al.  Spacing and repetition effects in human memory: application of the SAM model , 2003, Cogn. Sci..

[5]  Alan R. Dennis,et al.  CONDUCTING RESEARCH IN INFORMATION SYSTEMS , 2001 .

[6]  John C. Beachboard,et al.  A Taxonomy of Service Failures in Electronic Retailing , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[7]  Wm. Arthur Conklin,et al.  Password-based authentication: a system perspective , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[8]  D. Rundus Analysis of rehearsal processes in free recall. , 1971 .

[9]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[10]  Yoris A. Au Design Science I: The Role of Design Science in Electronic Commerce Research , 2001, Commun. Assoc. Inf. Syst..

[11]  Deborah S. Carstens,et al.  Applying Chunking Theory in Organizational Password Guidelines , 2006 .

[12]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[13]  Lorrie Faith,et al.  Secure or Usable , 2004 .

[14]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[15]  Edward F. Gehringer Choosing passwords: security and human factors , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).

[16]  Morten Hertzum Minimal-feedback hints for remembering passwords , 2006, INTR.

[17]  S. R. Schmidt,et al.  Can we have a distinctive theory of memory? , 1991, Memory & cognition.

[18]  Michael Twidale,et al.  Managing Multiple Passwords and Multiple Logins: MiFA , 2003, INTERACT.

[19]  Ronald F. DeMara,et al.  Evaluation of the Human Impact of Password Authentication , 2004, Informing Sci. Int. J. an Emerg. Transdiscipl..

[20]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[21]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[22]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[23]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[24]  Morris Moscovitch,et al.  Neuroimaging the Serial Position Curve , 2005, Psychological science.

[25]  David R. Firth,et al.  Communications of the Association for Information Systems , 2011 .

[26]  Morten Hertzum Remembering Multiple Passwords by Way of Minimal- Feedback Hints: Replication and Further Analysis , 2004 .

[27]  M. Usher,et al.  The demise of short-term memory revisited: empirical and computational investigations of recency effects. , 2005, Psychological review.

[28]  Richard E. Smith,et al.  Authentication: From Passwords to Public Keys , 2001 .

[29]  Adam J. Elbirt,et al.  Desktop Security and Usability Trade-Offs: An Evaluation of Password Management Systems , 2005, Inf. Secur. J. A Glob. Perspect..

[30]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[31]  Matt Bishop A Proactive Password Checker , 1990 .

[32]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[33]  Moshe Zviran,et al.  Identification and Authentication: Technology and Implementation Issues , 2006, Commun. Assoc. Inf. Syst..

[34]  Joseph E. McGrath,et al.  Dilemmatics: The Study of Research Choices and Dilemmas , 1981 .

[35]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[36]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[37]  Steven M. Bellovin,et al.  Unconventional Wisdom , 2006, IEEE Security & Privacy Magazine.

[38]  H B TIMMERMAN,et al.  What is task analysis? , 1951, Bulletin of the Medical Library Association.

[39]  H A Simon,et al.  How Big Is a Chunk? , 1974, Science.

[40]  Lorrie Faith Cranor,et al.  Guest Editors' Introduction: Secure or Usable? , 2004, IEEE Secur. Priv..

[41]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[42]  Gavriel Salvendy,et al.  A Task Analysis of Usability in Third-Party Authentication , 2000 .