Slashdot Mirror
Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
The Memorability and Security of Passwords
Some Empirical Results
Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant
Cambridge University Computer Laboratory
Abstract. There are many things that are 'well known' about passwords, such as that uers can't remember strong passwords and that the passwords they can remember are easy to guess. However, there seems to be a distinct lack of research on the subject that would pass muster by the standards of applied psychology.
Here we report a controlled trial in which, of four sample groups of about 100 first-year students, three were recruited to a formal experiment and of these two were given specific advice about password selection. The incidence of weak passwords was determined by cracking the password file, and the number of password resets was measured from system logs. We observed a number of phenomena which run counter to the established wisdom. For example, passwords based on mnemonic phrases are just as hard to crack as random passwords yet just as easy to remember as naive user selections.
Introduction
Many of the deficiencies of password authentication systems arise from the limitations of human memory. If humans were not required to remember the password, a maximally secure password would be one with maximum entropy: it would consist of a string as long as the system allows, consisting of characters selected from all those allowed by the system, and in a manner that provides no redundancy - i.e., totally random selection.
Each of these requirements is contrary to a well-known property of human memory. Firstly, human memory for sequences of items is temporally limited [1], with a short-term capacity of around seven plus or minus two items [2]. Second, when humans remember a sequence of items, those items cannot be drawn from an arbitrary and unfamiliar range, but must be familiar 'chunks' such as words or familiar symbols [2]. Third, human memory thrives on redundancy - we are far better at remembering information that can be encoded in multiple ways [3].
Password authentication therefore appears to involve a tradeoff. Some passwords are very easy to remember (e.g. single words in the user's native language), but also very easy to guess with dictionary searches. In contrast, some passwords are very secure against guessing but difficult to remember. In the latter case the security of a superior password may be compromised due to human limitations, because the user may keep an insecure written record of it or resort to insecure backup authentication procedures after forgetting it.
This paper presents an empirical investigation of these tradeoffs in the context of an actual population of password users. Research in cognitive psychology has defined many limits of human performance in laboratory settings where experimental subjects are required to memorise random and pseudo-random sequences of symbols. It is very difficult to generalise from such research to password users, who can select the string themselves, are able to rehearse it while memorising, and need to recall it at regular intervals over a long period of time.
We show that this user context allows the exploitation of mnemonic strategies for password memorisation. There are many successful mnemonic techniques that can be used to achieve impressive performance when memorising apparently random sequences. Password alternatives such as "Pass Faces" exploit superior human memory for faces, for example [4]. However rather than changing the password authentication procedure, we propose changing the advice that is given to the user when selecting a password.
Existing Advice on Password Selection
Many large organisations give specific advice to new users about how to select a "good password". A good password, in terms of the above discussion, should aim to be reasonably long, use a reasonably large character set, but still be easy to remember. There are some subtleties about whether the att
Why don't these studies test password schemes commonly found in the real world.
I've seen (e.g. chrome=turnip) or even (e.g. purplegearbox), where the concatenated words do not form a dictionary word. Googlewhackers could have fun generating (in)secure passwords along these lines.