Abstract
A well-established truth regarding password authentication is that easily remembered passwords are weak. This study demonstrates that this is not necessarily true. Users can be encouraged to design strong passwords, using elements associated with a given service, together with a personal factor. Regulatory bodies and information security experts are often asked the question: “what is a good password?” We claim that this is not the right question; it should be: “how can one design multiple passwords that are strong and memorable at the same time?” This paper presents guidelines for password design that combine a Personal Factor with an element associated to the login site. Analysis of the passwords generated by a group of volunteers and their ability to recall multiple passwords at later moments in time show that one can actually achieve good memorability of strong and unique passwords.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42, 40–46 (1999)
Averell, L., Heathcote, A.: The Form of the Forgetting Curve and the fate of Memories. Journal of Mathematical Psychology 55, 25–35 (2010)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the Ninth Workshop on the Economics of Information Security, Boston, MA, USA (June 2010)
Dhamija, R., Perrig, A.: Déjà Vu: A User Study Using Images for Authentication. In: Proceedings of 9th USENIX Security Symposium (2000)
Gehringer, E.F.: Choosing Passwords: Security and Human Factors. In: Proceedings of International Symposium on Technology and Society, pp. 369–373 (2002)
Grawemeyer, B., Johnson, H.: Using and Managing Multiple Passwords: A Week to a View. Interacting with Computers 23(3), 256–267 (2011)
Halderman, J.A., Waters, B., Felten, E.W.: A Convenient Method for Securely Managing Passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479 (2005)
Helkala, K.: An Educational Tool for Password Quality Measurements. In: Proceedings of Norwegian Information Security Conference, pp. 69–80. Tapir Akademisk Forlag (2008)
Helkala, K.: Password Education Based on Guidelines Tailored to Different Password Categories. Journal of Computers 6(5) (2011)
Helkala, K., Snekkenes, E.: Password Generation and Search Space Reduction. Journal of Computers 4(7), 663–669 (2009)
Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Communication of the ACM 47, 75–78 (2004)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The Design and Analysis of Graphical Passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium, vol. 8, p. 1 (1999)
Kuhn, B.T., Garrison, C.: A survey of passwords from 2007 to 2009. In: 2009 Information Security Curriculum Development Conference, InfoSecCD 2009, pp. 91–94. ACM, New York (2009)
Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-Based Passwords. In: Proceedings of 2nd Symposium on Usable Privacy and Security, pp. 67–78. ACM Press (2006)
Li, X.-Y., Teng, S.-H.: Practical Human-Machine Identification over Insecure Channels. Journal of Combinatorial Optimization 3(4), 347–361 (1999)
Matsumoto, T.: Human-Computer Cryptography: An Attempt. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 68–75 (1996)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the “Weakest Link” - Human/Computer Interaction Approach to Usable and Effective Security. BT Technol. 19, 122–131 (2001)
Stubblefield, A., Simon, D.: Inkblot Authentication. Technical report, Microsoft Research, Microsoft Corporation (2004)
Villarrubia, C., Fernandez-Medina, E., Piattini, M.: Quality of Password Management Policy. In: The First International Conference on Availability, Reliability and Security, ARES 2006, p. 7 (April 2006)
Vu, K.-P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.-L.(Belin), Cook, J., Schultz, E.: Improving Password Security and Memorability to Protect Personal and Organizational Information. International Journal of Human-Computer Studies 65, 744–757 (2007)
Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 295–300 (2006)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2(5), 25–31 (2004)
Zviran, M., Haga, W.J.: User authentication by cognitive passwords: an empirical assessment. In: Proceedings of the 5th Jerusalem Conference on Information Technology, pp. 137–144 (1990)
Zviran, M., Haga, W.J.: A Comparison of Password Techniques for Multilevel Authentication Mechanisms. Computer Journal 36(3), 227–237 (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Helkala, K., Svendsen, N.K. (2012). The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor. In: Laud, P. (eds) Information Security Technology for Applications. NordSec 2011. Lecture Notes in Computer Science, vol 7161. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29615-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-29615-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29614-7
Online ISBN: 978-3-642-29615-4
eBook Packages: Computer ScienceComputer Science (R0)