The Authentication Equation: A Tool to Visualize the Convergence of Security and Usability of Text-Based Passwords

  • Cathryn A. PloehnEmail author
  • Kristen K. Greene
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Password management is a ubiquitous struggle of the modern human. Despite usability playing a vital role in authentication, many password policies and requirements focus on security without sufficient consideration of human factors. In fact, security and usability needs are often in contention. Until an improved authentication method beyond character input is implemented on a large scale, developing new methodologies for balancing competing requirements is vital.

This research project focused on building a data visualization tool to explore password usability and security metrics. The visualization tool integrates various measurements of passwords, enabling exploration of the intersection of their usability and security components. The tool is based on insight from previously gathered data from usability studies conducted at the United States National Institute of Standards and Technology. It also leverages web technologies to flexibly display data sets computed from sets of passwords. The tool is available at


Data visualization Usable security Keystrokes Entropy Password policies Password permutation 


  1. 1.
    Choong, Y.Y., Theofanos, M., Liu, H.K.: United States Federal Employees Password Management Behaviors-a Department of Commerce Case Study. National Institute of Standards and Technology Interagency Report (NISTIR) (2014)Google Scholar
  2. 2.
    Stanton, B.C., Greene, K.K.: Character strings, memory and passwords: what a recall study can tell us. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 195–206. Springer, Heidelberg (2014) Google Scholar
  3. 3.
    Cheswick, W.: Rethinking passwords. Commun. ACM 56, 40–44 (2013)CrossRefGoogle Scholar
  4. 4.
    Florêncio, D., Herley, C., Van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of the USENIX Security (2014)Google Scholar
  5. 5.
    Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Thimbleby, H., O’Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)CrossRefGoogle Scholar
  6. 6.
    Grawemeyer, B., Johnson, H.: Using and managing multiple passwords: a week to a view. Interact. Comput. 23, 256–267 (2011)CrossRefGoogle Scholar
  7. 7.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 2. ACM (2010)Google Scholar
  8. 8.
    Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)Google Scholar
  9. 9.
    Boothroyd, V., Chiasson, S.: Writing down yourPassword: does it help? In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 267–274. IEEE (2013)Google Scholar
  10. 10.
    Greene, K.K., Gallagher, M.A., Stanton, B.C., Lee, P.Y.: I can’t type that! p@$$w0rd entry on mobile devices. In: Askoxylakis, I., Tryfonas, T. (eds.) HAS 2014. LNCS, vol. 8533, pp. 160–171. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    Hayashi, E., Hong, J., Christin, N.: Security through a different kind of obscurity: evaluating distortion in graphical authentication schemes. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2055–2064. ACM (2011)Google Scholar
  12. 12.
    Somayaji, A., Mould, D., Brown, C.: Towards narrative authentication: or, against boring authentication. In: Proceedings of the 2013 Workshop on New Security Paradigms Workshop, pp. 57–64. ACM (2013)Google Scholar
  13. 13.
    National Strategy for Trusted Identities in Cyberspace: Enhancing online choice, efficiency, security, and privacy (2011)Google Scholar
  14. 14.
    Marty, R.: Applied Security Visualization. Addison-Wesley, Upper Saddle River (2009) Google Scholar
  15. 15.
    Shneiderman, B.: The eyes have it: a task by data type taxonomy for information visualizations. In: Proceedings of the IEEE Symposium on Visual Languages, pp. 336–343. IEEE (1996)Google Scholar
  16. 16.
    Bergstrom, J.R., Frisch, S.A., Hawkins, D.C., Hackenbracht, J., Greene, K.K., Theofanos, M.F., Griepentrog, B.: Development of a scale to assess the linguistic and phonological difficulty of passwords. In: Rau, P.L.P. (ed.) CCD 2014. LNCS, vol. 8528, pp. 131–139. Springer, Heidelberg (2014) Google Scholar
  17. 17.
    von Zezschwitz, E., De Luca, A., Hussmann, H.: Honey, i shrunk the keys: influences of mobile devices on password composition and authentication performance. In: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational, pp. 461–470. ACM (2014)Google Scholar
  18. 18.
    Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5, 3–55 (2001)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: Nist sp800-63-2-electronic authentication guideline. National Institute of Standards and Technology (2013)Google Scholar
  20. 20.
    Greene, K., Kelsey, J., Franklin, J.: Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. National Institute of Standards and Technology Interagency Report (NISTIR) 8040 (2015)Google Scholar
  21. 21.
    Bostock, M., Ogievetsky, V., Heer, J.: D\(^3\) data-driven documents. IEEE Trans. Vis. Comput. Graph. 17, 2301–2309 (2011)CrossRefGoogle Scholar
  22. 22.
    Tufte, E.R., Graves-Morris, P.: The Visual Display of Quantitative Information, vol. 2. Graphics Press, Cheshire (1983)Google Scholar
  23. 23.
    Tyler, C.W.: Human Symmetry Perception and its Computational Analysis. Psychology Press, Hove (2003) Google Scholar
  24. 24.
    Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrators guide to internet password research. In: Proceedings of the USENIX LISA (2014)Google Scholar
  25. 25.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537. IEEE (2012)Google Scholar
  26. 26.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 162–175. ACM (2010)Google Scholar
  27. 27.
    Galbally, J., Coisel, I., Sanchez, I.: A probabilistic framework for improved password strength metrics. In: 2014 International Carnahan Conference on Security Technology (ICCST), pp. 1–6. IEEE (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations