The memorability and security of passwords – some empirical resultsBy: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant

Presenter: Roy Ford

Purpose of Study

A number of guidance's have been produced on how to create passwords, but no one has studied what types of passwords are better to remember

Do users choose simple to remember passwords over good passwords

Can users be educated to produce better passwords

Human Memory is Fallible

Memory for sequences of items is temporally limitedShort term capacity 5-9 items (i.e. 7 digit

phone numbers) Sequences must be chunked Memory thrives on redundancy

Common advice on password selection

Passwords should be a mix of letters and numbers

Passwords should not contain common words

Passwords should not be written down Use random characters if possible Use random letters that sounds like a word

Common advice on password selection

Use a pass phrase to remember the password

passwords must be a minimum length Passwords must be changed on a regular

interval Passwords must contain a mix of letters

and numbers (system enforced)

Experimental Study

288 Freshman students volunteered to be part of the study, and were broken into 3 groupsGroup instructed to pick random passwords

by pointing at letters and writing them downGroup instructed to use pass phrases to

memorize the passwordsControl group not given any instruction

Breakdown of Subjects

Number of Users

Control Group 95

Random Password 96

Pass Phrase 97

Comparison Group 100

Experimental Study

After 1 month, various attacks were performed on their passwords to see how complex they were

User requests to change passwords were monitored

After 4 months, the subjects were emailed with a 2 question survey

Password Attacks

Four attacks were applied against the passwords of the test subjects and an additional 100 comparison usersDictionary AttackPermutation of Words and NumbersUser Information AttackBrute Force Attack (if passwords only 6

characters long)

Results - Password Length

Selected Password Lengths

Control Group 7.6

Random Password 8

Pass Phrase 7.9

Comparison Group 7.3

Results – Passwords that could be cracked

Cracked Passwords

Control Group 30 (32%)

Random Password 8 (8%)

Pass Phrase 6 (6%)

Comparison Group 33 (33%)

Results – Brute Force Attacks

Passwords cracked with brute force (6 or

less characters)

Control Group 3

Random Password 3

Pass Phrase 3

Comparison Group 2

Password Memorization

The study also wanted to see how much trouble users had with remembering passwordsSystem Admin calls were tracked to see if

users were resetting their passwordsA survey was send to users questioning them

on their passwords

Password Survey

Two question SurveyHow hard did you find it to memorize your

password (1 = trivial, 5 = impossible)How long did you have to carry your password

with you (in weeks), as you had not memorized it.

Results – System Admin calls for Password Reset

System Admin Calls for

Password Resets

Control Group 2

Random Password 1

Pass Phrase 3

Results – Number of Subjects who responded to the survey

Survey Responses

Control Group 80 (84%)

Random Password 71 (74%)

Pass Phrase 78 (80%)

Total 229 (80%)

Results – Survey Results

Difficulty to Memorize

Weeks to remember

Control Group 1.52 0.7

Random Password

3.15 4.8

Pass Phrase 1.67 0.6

Conclusions

People have difficulty remembering random passwordsSome users never memorized their

passwords Pass phase passwords are harder to crack Random passwords are no stronger than

pass phase passwords

Conclusion

Pass phase passwords are as easy to remember as naively selected passwords

Educating users to use random or pass phase passwords does not improve security unless there is a way to enforce the policy, since 10% of users failed to comply with the request.

Recommendations

Users should be instructed to use pass phase passwords

Users should be encouraged to use 10+ character passwords

Passwords should contain numbers and letters

Recommendations

Compliance to policy should be enforced if possible

Centrally assigned random passwords improve security through improved policy compliance