Character Strings, Memory and Passwords: What a Recall Study Can Tell Us.

Published: June 22, 2014

Author(s)

Brian C. Stanton, Kristen Greene

Abstract

Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater “entropy,” or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lower-case letters, nu-merals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities. Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this ex-periment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.
Proceedings Title: Proceedings of the 16th International Conference on Human-Computer Interaction
Conference Dates: June 22-27, 2014
Conference Location: Crete, -1
Conference Title: The 16th International Conference on Human-Computer Interaction
Pub Type: Conferences

Keywords

passwords, security, character strings, memory, recall
Created June 22, 2014, Updated February 19, 2017