Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | loreen-manning |
View: | 216 times |
Download: | 2 times |
The memorability and security of passwords – some empirical resultsBy: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant
Presenter: Roy Ford
Purpose of Study
A number of guidance's have been produced on how to create passwords, but no one has studied what types of passwords are better to remember
Do users choose simple to remember passwords over good passwords
Can users be educated to produce better passwords
Human Memory is Fallible
Memory for sequences of items is temporally limitedShort term capacity 5-9 items (i.e. 7 digit
phone numbers) Sequences must be chunked Memory thrives on redundancy
Common advice on password selection
Passwords should be a mix of letters and numbers
Passwords should not contain common words
Passwords should not be written down Use random characters if possible Use random letters that sounds like a word
Common advice on password selection
Use a pass phrase to remember the password
passwords must be a minimum length Passwords must be changed on a regular
interval Passwords must contain a mix of letters
and numbers (system enforced)
Experimental Study
288 Freshman students volunteered to be part of the study, and were broken into 3 groupsGroup instructed to pick random passwords
by pointing at letters and writing them downGroup instructed to use pass phrases to
memorize the passwordsControl group not given any instruction
Breakdown of Subjects
Number of Users
Control Group 95
Random Password 96
Pass Phrase 97
Comparison Group 100
Experimental Study
After 1 month, various attacks were performed on their passwords to see how complex they were
User requests to change passwords were monitored
After 4 months, the subjects were emailed with a 2 question survey
Password Attacks
Four attacks were applied against the passwords of the test subjects and an additional 100 comparison usersDictionary AttackPermutation of Words and NumbersUser Information AttackBrute Force Attack (if passwords only 6
characters long)
Results - Password Length
Selected Password Lengths
Control Group 7.6
Random Password 8
Pass Phrase 7.9
Comparison Group 7.3
Results – Passwords that could be cracked
Cracked Passwords
Control Group 30 (32%)
Random Password 8 (8%)
Pass Phrase 6 (6%)
Comparison Group 33 (33%)
Results – Brute Force Attacks
Passwords cracked with brute force (6 or
less characters)
Control Group 3
Random Password 3
Pass Phrase 3
Comparison Group 2
Password Memorization
The study also wanted to see how much trouble users had with remembering passwordsSystem Admin calls were tracked to see if
users were resetting their passwordsA survey was send to users questioning them
on their passwords
Password Survey
Two question SurveyHow hard did you find it to memorize your
password (1 = trivial, 5 = impossible)How long did you have to carry your password
with you (in weeks), as you had not memorized it.
Results – System Admin calls for Password Reset
System Admin Calls for
Password Resets
Control Group 2
Random Password 1
Pass Phrase 3
Results – Number of Subjects who responded to the survey
Survey Responses
Control Group 80 (84%)
Random Password 71 (74%)
Pass Phrase 78 (80%)
Total 229 (80%)
Results – Survey Results
Difficulty to Memorize
Weeks to remember
Control Group 1.52 0.7
Random Password
3.15 4.8
Pass Phrase 1.67 0.6
Conclusions
People have difficulty remembering random passwordsSome users never memorized their
passwords Pass phase passwords are harder to crack Random passwords are no stronger than
pass phase passwords
Conclusion
Pass phase passwords are as easy to remember as naively selected passwords
Educating users to use random or pass phase passwords does not improve security unless there is a way to enforce the policy, since 10% of users failed to comply with the request.
Recommendations
Users should be instructed to use pass phase passwords
Users should be encouraged to use 10+ character passwords
Passwords should contain numbers and letters
Recommendations
Compliance to policy should be enforced if possible
Centrally assigned random passwords improve security through improved policy compliance