Striking a balance between Password Strength and Memorability to Improve Information Security

Abstract

Abstract Text-based passwords have been the most popular form of authentication in last four decades with estimates that around a billion password-based authentications taking place each day. However cognitive limitations restrict humans from being able to remember multiple strong passwords to meet the growing requirement, this results in users generating passwords that they find easy to remember and recall. Such password face major weaknesses primarily in the form of being predictable making them vulnerable to guessing attacks. Further memorability concerns drive users to reuse passwords on multiple sites risking further loss as a result of an attack. In order to address the problem of password memorability and security in our research, we have presented a three-part model comprising of a password generator, password strength checker, and a memorability module. The system was tested over three iterations and improvements were done based on findings at the end of each iteration. This system uses a unique approach to address the memorability concerns of by using a user’s autobiographical episodic memories to generate phrases which act as the foundation for generating first letter mnemonic based passwords. The password strength checker evaluates generated passwords based on guessability, for this purpose we have used a widely accepted improved version of “zxcvbn” strength checker. Also, the system facilitates an elaborative rehearsal in the memory module to help users better retain the passwords, along with elaborative rehearsal we have also used spaced repetition to aid users to retain the password in their long-term memories. The research was conducted by following a pragmatic research approach giving the necessary freedom to use both qualitative and quantitative methods since the research deals with both human factors that require a qualitative approach and certain analytical requirements that require a more quantitative approach. Given the limited time frame we were unable to conduct a full user study when evaluating the system, hence we resorted to obtaining feedback from a limited user sample. The results from the selected sample show an overall positive response to improvements in the balance of password strength and memorability seen over each iteration. Further analysis of user feedback has shown an overall acceptance of the password generating approach.

However, it is important that a full user study be conducted taking a large population covering a broader demography in order to properly validate the effectiveness of the system and its approach.