U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Measuring the Usability and Security of Permuted Passwords on Mobile Platforms

Published

Author(s)

Kristen K. Greene, John M. Kelsey, Joshua M. Franklin

Abstract

Password entry on mobile devices significantly impacts both usability and security, but there is a lack of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. This document reports a method of optimizing the input of randomly generated passwords on mobile devices via password permutation to allow for a comparison of password usability data. We found that the number of keystrokes saved - the efficiency gained - via permutation depends on the number of onscreen keyboard changes required in the original password rather than on password length. Additionally, we created and are releasing Python scripts (publicly available from https://github.com/usnistgov/PasswordMetrics) for the experiments on entropy loss we conducted across passwords ranging in length from 5 to 20 characters.
Citation
NIST Interagency/Internal Report (NISTIR) - 8040
Report Number
8040
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.8040
Local Download

Keywords

authentication, mobile devices, onscreen keyboards, text entry, password entry, password permutation, password generation, security-usability balance, usable security
Information technology and Cybersecurity

Citation

Greene, K. , Kelsey, J. and Franklin, J. (2016), Measuring the Usability and Security of Permuted Passwords on Mobile Platforms, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8040, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919509 (Accessed April 23, 2024)

Created April 24, 2016, Updated October 12, 2021