Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry

Published

Author(s)

Kristen Greene, Joshua M. Franklin, John M. Kelsey

Abstract

Password entry on mobile devices significantly impacts both usability and security, but there is a dearth of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metrics to passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. A primary accomplishment of this work is our method of optimizing the input of randomly generated passwords on mobile devices via password permutation. This is done by grouping character classes (i.e., uppercase, lowercase, numbers, symbols) together to minimize the total number of required keystrokes and decrease cognitive load. The number of keystrokes saved—the efficiency gained—via permutation depends on the number of onscreen keyboard changes required in the original password rather than on password length. The number of keyboard changes in turn depends on the frequency and placement of symbols and numbers. We propose a measurement method for quantifying effects on entropy resulting from this password permutation. Additionally, we created and are releasing python scripts (publicly available from https://github.com/usnistgov/PasswordMetrics) for the experiments on entropy loss we conducted across passwords ranging in length from five to 20 characters.
Citation
ShmooCon Archives

Keywords

authentication, password permutation, password generation, usable security

Citation

Greene, K. , Franklin, J. and Kelsey, J. (2015), Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry, ShmooCon Archives, [online], http://www.shmoocon.org/archives (Accessed June 19, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created May 1, 2015, Updated February 19, 2017