Investigation of Instructions for Password Generation Robert W. Proctor Department of Psychological Sciences Ninghui Li Department of Computer Science Based on: Yang, W., Li, N., Chowdhury, O., Xiong, A., & Proctor, R. W. (2016). An empirical study of password generation strategies. Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS 2016).

Passwords Primary means of authentication “The number of accounts we use is growing at a 14% rate… In 2020, the average number of accounts per Internet user will be 207! Are you ready to remember 207 login and password combos?” (Le Bros, 2015, Dashlane blog) Continue to be used because Accepted by users Relatively easy to implement There are figures on the right if you want to use them as an example for the permission list

Password Composition Many users do not create secure passwords (Nicholas, 2016) There are figures on the right if you want to use them as an example for the permission list

How do you get users to generate secure and memorable passwords? Password Composition Rules use of both upper-case and lower-case letters inclusion of one or more numerical digits inclusion of special characters, such as @, #, $ Computer-Generated Passwords Difficult for users to remember There are figures on the right if you want to use them as an example for the permission list

How do you get users to generate secure and memorable passwords? Mnemonic strategies 1. Think of a memorable sentence or phrase containing at least seven or eight words. For example, “Four score and seven years ago our fathers brought forth on this continent”. 2. Select a letter, number, or a special character to represent each word. A common method is to use the first letter of every word. For example: four⇒4, score⇒s, and⇒&. Combine them into a password: 4s&7yaofb4otc. There are figures on the right if you want to use them as an example for the permission list

Effect of Instructions Instructions are provided when people create passwords However, research has not systematically investigated how instructions affect: the security of the generated passwords the usability of the method memorability of the passwords  There are figures on the right if you want to use them as an example for the permission list

Study 1: Security of Mnemonic-based Strategy Variants

Study 1: Security of Mnemonic-based Strategy Variants

Study 1: Security of Mnemonic-based Strategy Variants MTurk Workers Participants were asked to type the sentence used in the intermediate step, after which they were to enter the password. Participants warned not to use their actual passwords. We forbade passwords that were the same as the examples and that did not appear to be generated following the instructions.

Table: Collisions Among the Top and Top 10 Passwords There are figures on the right if you want to use them as an example for the permission list

Study 1 Findings Finding 1: Using generic instructions and examples results in weak passwords. Finding 2: Instructions requesting personal-ized sentences and containing appropriate examples lead to strong passwords. 536 sentences in MnePerEx started with “I” or “my”, suggesting a personalized choice. In comparison, such sentences appeared only 125 times in MneGenEx. There are figures on the right if you want to use them as an example for the permission list

Study 1 Findings Finding 3: Commonly suggested instantiations are worse than MnePerEx. Finding 4: Both personalized sentences and high-quality examples are needed to achieve better security. MneEx and MnePer For both MneEx and MnePer, number of collisions was greater than for MnePerEx, although less than for MneGenEx. There are figures on the right if you want to use them as an example for the permission list

Study 2: Usability & Memorability of Mnemonic Strategies Examined the usability and memorability of MneGenEx, MnPerEx, and a Control condition. Told that they would be asked to return and use the password in about one week, and they could take whatever measures they would normally take to remember and protect the passwords. Each participant was asked to create an online account for a bank named “Provident Citizens Bank”. Half of participants tested for recall at end of session; all invited to return 1 week later. Filled out NASA TLX for initial password generation and final recall.

Study 2: First Phase Results Compared with MneGenEx, password generation time was shorter in MnePerEx. The workload required in the Control condition was lower than that in the two mnemonic strategy variants, which did not differ. Short-term recall: Almost all participants entered the correct password.

Study 2: Second Phase Results The final successful recall rate did not differ significantly among the conditions. Those who did short-term recall tended to have higher success rates for long-term recall in all conditions. The password recall time in the Control condition was shorter than that for MneGenEx and MnePerEx conditions, for which there was no significant difference.

Study 2: Second Phase Results NASA TLX subscales: Mental workload and frustration ratings of mnemonic strategy variants were higher than those of the Control. At the end of the task, participants were asked to update the password, without any restriction except that the it could not be the same as the old one. About 70% of participants in MneGenEx and MnePerEx said “yes” to a question about whether they used the strategy we provided.

Summary The specific instructions used for mnemonic strategies are important in determining the passwords that are created. Instructions emphasizing personal information and including multiple examples provide the strongest security with no additional cost in usability and memorability. There are figures on the right if you want to use them as an example for the permission list

Broader Conclusions Instructions and feedback that highlight declarative and procedural knowledge about security action in which users must engage is essential. Instructions and warnings should be designed to have training embedded in them.