Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password Creation

Strict password policies can frustrate users, reduce their productivity, and lead them to write their passwords down. This paper investigates the relation between password creation and cognitive load inferred from eye pupil diameter. We use a wearable eye tracker to monitor the user’s pupil size while creating passwords with different strengths. To assess how creating passwords of different strength (namely weak and strong) influences users’ cognitive load, we conducted a lab study (N = 15). We asked the participants to create and enter 6 weak and 6 strong passwords. The results showed that passwords with different strengths affect the pupil diameter, thereby giving an indication of the user’s cognitive state. Our initial investigation shows the potential for new applications in the field of cognition-aware user interfaces. For example, future systems can use our results to determine whether the user created a strong password based on their gaze behavior, without the need to reveal the characteristics of the password.

[1]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[2]  Martin Raubal,et al.  The Index of Pupillary Activity: Measuring Cognitive Load vis-à-vis Task Difficulty with Pupil Oscillation , 2018, CHI.

[3]  Siyuan Chen,et al.  Automatic and continuous user task analysis via eye activity , 2013, IUI '13.

[4]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[5]  Masaaki Tanaka,et al.  Effects of Mental Fatigue on Brain Activity and Cognitive Performance: A Magnetoencephalography Study , 2015 .

[6]  Brian P. Bailey,et al.  Towards an index of opportunity: understanding changes in mental workload during task execution , 2004, CHI.

[7]  Yair Levy,et al.  Complex passwords: How far is too far? The role of cognitive load on employee productivity , 2013 .

[8]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[9]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[10]  Albrecht Schmidt,et al.  Look into my Eyes: Using Pupil Dilation to Estimate Mental Workload for Task Complexity Adaptation , 2018, CHI Extended Abstracts.

[11]  Yang Wang,et al.  The Effect of Stress on Cognitive Load Measurement , 2013, INTERACT.

[12]  Martin Raubal,et al.  Measuring Cognitive Load for Map Tasks Through Pupil Diameter , 2016, GIScience.

[13]  F. Thomas Eggemeier,et al.  Workload assessment methodology. , 1986 .

[14]  H. van Steenbergen,et al.  Pupil dilation as an index of effort in cognitive control tasks: A review , 2018, Psychonomic Bulletin & Review.

[15]  J. L. Chinchilla-Minguet,et al.  Cognitive Effects and Educational Possibilities of Physical Activity in Sustainable Cities , 2018, Sustainability.

[16]  Andrew L. Kun,et al.  Estimating cognitive load using remote eye tracking in a driving simulator , 2010, ETRA.

[17]  Martha E. Crosby,et al.  Assessing Cognitive Load with Physiological Sensors , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[18]  John Sweller,et al.  Cognitive Load Theory , 2020, Encyclopedia of Education and Information Technologies.

[19]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[20]  Prentice Reeves,et al.  The Response of the Average Pupil to Various Intensities of Light , 1920 .

[21]  R. Calvo,et al.  Classification of Cognitive Load from Task Performance & Multichannel Physiology during Affective Changes , 2011 .

[22]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[23]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  J. Beatty,et al.  The pupillary system. , 2000 .

[25]  Per Baekgaard,et al.  Cognitive Load during Eye-typing , 2020, ETRA.

[26]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[27]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[28]  Fred G. W. C. Paas,et al.  The Efficiency of Instructional Conditions: An Approach to Combine Mental Effort and Performance Measures , 1992 .

[29]  Chi-Cheng Chang,et al.  Cognitive Load Theory: An Empirical Study of Anxiety and Task Performance in Language Learning , 2017 .

[30]  S. Hart,et al.  Development of NASA-TLX (Task Load Index): Results of Empirical and Theoretical Research , 1988 .

[31]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[32]  Mahdi N. Al-Ameen,et al.  Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues , 2015, CHI.

[33]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[34]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[35]  Siyuan Chen,et al.  Using Task-Induced Pupil Diameter and Blink Rate to Infer Cognitive Load , 2014, Hum. Comput. Interact..

[36]  M. Just,et al.  The intensity dimension of thought: pupillometric indices of sentence processing. , 1993, Canadian journal of experimental psychology = Revue canadienne de psychologie experimentale.

[37]  E. Hess,et al.  Pupil Size in Relation to Mental Activity during Simple Problem-Solving , 1964, Science.

[38]  Muhammad Sharif,et al.  A Survey of Password Attacks and Comparative Analysis on Methods for Secure Authentication , 2012 .