ABSTRACT
Users tend to create passwords that are easy to guess, while system-assigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character system-assigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.
- A. Adams, M. A. Sasse, and P. Lunt. Making passwords secure and usable. In Proc. HCI, 1997. Google ScholarDigital Library
- E. Adar. Why I hate Mechanical Turk research (and workshops). In Proc. CHI Workshop on Crowdsourcing and Human Computation, 2011.Google Scholar
- G. V. Bard. Spelling-error tolerant, order-independent pass-phrases via the Damerau-Levenshtein string-edit distance metric. In Proc. ACSW, pages 117--124, 2007. Google ScholarDigital Library
- A. J. Berinsky, G. A. Huber, and G. S. Len. Using Mechanical Turk as a subject recruitment tool for experimental research. Political Analysis, 2011.Google Scholar
- M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.Google ScholarDigital Library
- J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proc. IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau and E. Shutova. Linguistic properties of multi-word passphrases. In Proc. USEC, 2012.Google ScholarDigital Library
- M. Buhrmester, T. Kwang, and S. D. Gosling. Amazon's Mechanical Turk: A new source of inexpensive, yet high-quality, data? Persp. Psych. Sci., 6(1):3--5, 2011.Google ScholarCross Ref
- W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, NIST, 2006.Google ScholarDigital Library
- C. Castelluccia, M. Durmuth, and D. Perito. Adaptive password-strength meters from Markov models. In Proc. NDSS, 2012.Google Scholar
- D. Craddock. Hey! My friend's account was hacked! http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/07/14/hey-my-friend-s-account-was-hacked.aspx, 2011.Google Scholar
- H. Crawford and J. Aycock. Kwyjibo: automatic domain name generation. Softw: Pract. Exper., 38(14):1561--1567, 2008. Google ScholarDigital Library
- M. Davies. The corpus of contemporary American English: 425 million words, 1990--present. Available online at http://corpus.byu.edu/coca/, 2008.Google Scholar
- M. Dell'Amico, P. Michiardi, and Y. Roudier. Password strength: An empirical analysis. In Proc. INFOCOM, 2010. Google ScholarDigital Library
- J. S. Downs, M. B. Holbrook, S. Sheng, and L. F. Cranor. Are your participants gaming the system? Screening Mechanical Turk workers. In Proc. ACM CHI, 2010. Google ScholarDigital Library
- D. Florêncio and C. Herley. A large-scale study of web password habits. In Proc. WWW, 2007. Google ScholarDigital Library
- A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In Proc. SOUPS, 2008. Google ScholarDigital Library
- M. Gasser. A random word generator for pronouncable passwords. Technical Report ESD-TR-75-97, The MITRE Corporation, 1975.Google ScholarCross Ref
- C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy, 10(1):28--36, 2012. Google ScholarDigital Library
- J. J. Horton, D. G. Rand, and R. J. Zeckhauser. The online laboratory: Conducting experiments in a real labor market. Experimental Economics, 2010.Google Scholar
- InCommon Federation. Identity assurance profiles bronze and silver v1.1, 2011.Google Scholar
- P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In Proc. ACM CHI, 2010. Google ScholarDigital Library
- P. G. Ipeirotis. Demographics of Mechanical Turk. Technical Report CeDER-10-01, New York University, 2010.Google Scholar
- M. Jakobsson and R. Akavipat. Rethinking passwords to adapt to constrained keyboards. Proc. IEEE MoST, 2012.Google Scholar
- S. Jeyaraman and U. Topkara. Have the cake and eat it too---Infusing usability into text-password based authentication systems. In Proc. ACSAC, 2005. Google ScholarDigital Library
- M. Keith, B. Shao, and P. Steinbart. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems, 10(2):63--89, 2009.Google ScholarCross Ref
- M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. Int. J. Human-Comp. Studies, 65(1):17--28, 2007. Google ScholarDigital Library
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs, 2012. Under review.Google Scholar
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy, 2012. Google ScholarDigital Library
- A. Kittur, E. H. Chi, and B. Suh. Crowdsourcing user studies with Mechanical Turk. In Proc. ACM CHI, 2008. Google ScholarDigital Library
- S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In Proc. ACM CHI, 2011. Google ScholarDigital Library
- C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Proc. SOUPS, 2006. Google ScholarDigital Library
- S. A. Kurzban. Easily remembered passphrases: a better approach. SIGSAC Rev., 3(2-4):10--21, Sept. 1985. Google ScholarDigital Library
- K.-W. Lee and H.-T. Ewe. Passphrase with semantic noises and a proof on its higher information rate. In Proc. CISW, 2007. Google ScholarDigital Library
- M. Leonhard and V. Venkatakrishnan. A new attack on random pronounceable password generators. In Proc. IEEE EIT, 2007.Google Scholar
- M. D. Leonhard and V. N. Venkatakrishnan. A comparative study of three random password generators. In Proc. IEEE EIT, 2007.Google ScholarCross Ref
- K. Matsuura. Echo back in implementation of passphrase authentication. 2001.Google Scholar
- A. Mehler and S. Skiena. Improving usability through password-corrective hashing. In Proc. SPIRE, 2006. Google ScholarDigital Library
- R. Munroe. xkcd: Password strength. https://www.xkcd.com/936/, 2012.Google Scholar
- NIST. Federal information processing standards publication 181: Automated password generator (APG). Technical report, 1993.Google Scholar
- S. N. Porter. A password extension for improved human factors. Computers and Security, 1(1), 1982.Google Scholar
- R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers, 34(2):163--169, 2002.Google Scholar
- A. G. Reinhold. Diceware. http://world.std.com/~reinhold/diceware.html, 1995--2011.Google Scholar
- S. Riley. Password security: What users know and what they actually do. Usability News, 8(1), Feb. 2006.Google Scholar
- S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec, 2010. Google ScholarDigital Library
- B. Schneier. Schneier on security blog. http://www.schneier.com/blog/archives/2005/06/write_down_your.html, 2005.Google Scholar
- S. Schoen, M. Hofmann, and R. Reynolds. Defending privacy at the U. S. border: A guide for travelers carrying digital devices. Electronic Frontier Foundation, 2011.Google Scholar
- A. Schumacher. Security @ CU---Making secure passwords, 2011.Google Scholar
- C. E. Shannon. A mathematical theory of communication. Bell Syst. Tech. J., 27:379--423, 1949.Google ScholarCross Ref
- R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS, 2010. Google ScholarDigital Library
- A. Sotirakopoulos, I. Muslukov, K. Beznosov, C. Herley, and S. Egelman. Motivating users to choose better passwords through peer pressure. SOUPS Poster, 2011.Google Scholar
- Y. Spector and J. Ginzberg. Pass-sentence---a new approach to computer code. Comput. Secur., 13(2):145--160, Apr. 1994. Google ScholarDigital Library
- J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Comp. & Security, 24(2):124--133, 2005.Google ScholarDigital Library
- M. Toomim, T. Kriplean, C. Pörtner, and J. Landay. Utility of human-computer interactions: toward a science of preference measurement. In Proc. ACM CHI, 2011. Google ScholarDigital Library
- B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security, 2012. To appear.Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS, 2010. Google ScholarDigital Library
- S. Z. Wilson. The protect IU blog---xkcd agrees: Use a passphrase, 2011.Google Scholar
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5), Sept. 2004. Google ScholarDigital Library
- Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS, 2010. Google ScholarDigital Library
- M. Zviran and W. J. Haga. A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal, 36(3):227--237, 1993.Google ScholarCross Ref
- M. Zviran and W. J. Haga. Password security: an empirical study. J. Mgt. Info. Sys., 15(4), 1999. Google ScholarDigital Library
Index Terms
- Correct horse battery staple: exploring the usability of system-assigned passphrases
Recommendations
MASCARA : Systematically Generating Memorable And Secure Passphrases
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications SecurityPasswords are the most common mechanism for authenticating users online. However, studies have shown that users find it difficult to create and manage secure passwords. To that end, passphrases are often recommended as a usable alternative to passwords, ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies
After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
Comments