Chapter Seven. The Memorability and Security of Passwords

Jeff Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant

MANY THINGS ARE “WELL KNOWN” ABOUT PASSWORDS, such as the fact that people can’t remember strong passwords and that the passwords they can remember are easy to guess. However, little research on the subject would pass muster by the standards of applied psychology.[1]

In the study presented here, we confirmed some widely held folk beliefs about passwords. However, we also observed a number of surprising phenomena that run counter to the established wisdom. Our study shows that the methods of applied psychology can bring new insights and solid results for security research and development.

Introduction

Many of the deficiencies of password authentication systems arise from the limitations of human memory. If humans were not required to remember the password, a maximally secure textual password would be one with maximum entropy: it would consist of a string as long as the system allows, made up of characters selected from all those allowed by the system, and in a manner that provides no redundancy — that is, a totally random selection.

Each of these requirements is contrary to a well-known property of human memory:

  • Human memory for sequences of items is temporally limited,[2] with a short-term capacity of around seven (plus or minus two items).[3]

  • When humans remember a sequence of items, those items cannot be drawn from an arbitrary and unfamiliar range, but must be familiar ...

Get Security and Usability now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.