Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Character Strings, Memory and Passwords: What a Recall Study Can Tell Us.

Published

Author(s)

Brian C. Stanton, Kristen Greene

Abstract

Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater “entropy,” or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lower-case letters, nu-merals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities. Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this ex-periment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.
Proceedings Title
Proceedings of the 16th International Conference on Human-Computer Interaction
Conference Dates
June 22-27, 2014
Conference Location
Crete
Conference Title
The 16th International Conference on Human-Computer Interaction

Keywords

passwords, security, character strings, memory, recall

Citation

Stanton, B. and Greene, K. (2014), Character Strings, Memory and Passwords: What a Recall Study Can Tell Us., Proceedings of the 16th International Conference on Human-Computer Interaction, Crete, -1 (Accessed October 10, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created June 22, 2014, Updated February 19, 2017