The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford
Purpose of Study A number of guidance's have been produced on how to create passwords, but no one has studied what types of passwords are better to remember Do users choose simple to remember passwords over good passwords Can users be educated to produce better passwords
Human Memory is Fallible Memory for sequences of items is temporally limited Short term capacity 5-9 items (i.e. 7 digit phone numbers) Sequences must be chunked Memory thrives on redundancy
Common advice on password selection Passwords should be a mix of letters and numbers Passwords should not contain common words Passwords should not be written down Use random characters if possible Use random letters that sounds like a word
Common advice on password selection Use a pass phrase to remember the password passwords must be a minimum length Passwords must be changed on a regular interval Passwords must contain a mix of letters and numbers (system enforced)
Experimental Study 288 Freshman students volunteered to be part of the study, and were broken into 3 groups Group instructed to pick random passwords by pointing at letters and writing them down Group instructed to use pass phrases to memorize the passwords Control group not given any instruction
Breakdown of Subjects Number of Users Control Group95 Random Password96 Pass Phrase97 Comparison Group100
Experimental Study After 1 month, various attacks were performed on their passwords to see how complex they were User requests to change passwords were monitored After 4 months, the subjects were ed with a 2 question survey
Password Attacks Four attacks were applied against the passwords of the test subjects and an additional 100 comparison users Dictionary Attack Permutation of Words and Numbers User Information Attack Brute Force Attack (if passwords only 6 characters long)
Results - Password Length Selected Password Lengths Control Group7.6 Random Password8 Pass Phrase7.9 Comparison Group7.3
Results – Passwords that could be cracked Cracked Passwords Control Group30 (32%) Random Password8 (8%) Pass Phrase6 (6%) Comparison Group33 (33%)
Results – Brute Force Attacks Passwords cracked with brute force (6 or less characters) Control Group3 Random Password3 Pass Phrase3 Comparison Group2
Password Memorization The study also wanted to see how much trouble users had with remembering passwords System Admin calls were tracked to see if users were resetting their passwords A survey was send to users questioning them on their passwords
Password Survey Two question Survey How hard did you find it to memorize your password (1 = trivial, 5 = impossible) How long did you have to carry your password with you (in weeks), as you had not memorized it.
Results – System Admin calls for Password Reset System Admin Calls for Password Resets Control Group2 Random Password1 Pass Phrase3
Results – Number of Subjects who responded to the survey Survey Responses Control Group80 (84%) Random Password71 (74%) Pass Phrase78 (80%) Total229 (80%)
Results – Survey Results Difficulty to Memorize Weeks to remember Control Group Random Password Pass Phrase
Conclusions People have difficulty remembering random passwords Some users never memorized their passwords Pass phase passwords are harder to crack Random passwords are no stronger than pass phase passwords
Conclusion Pass phase passwords are as easy to remember as naively selected passwords Educating users to use random or pass phase passwords does not improve security unless there is a way to enforce the policy, since 10% of users failed to comply with the request.
Recommendations Users should be instructed to use pass phase passwords Users should be encouraged to use 10+ character passwords Passwords should contain numbers and letters
Recommendations Compliance to policy should be enforced if possible Centrally assigned random passwords improve security through improved policy compliance