Chapter Seven. The Memorability and Security of Passwords
Jeff Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant
MANY THINGS ARE “WELL KNOWN” ABOUT PASSWORDS, such as the fact that people can’t remember strong passwords and that the passwords they can remember are easy to guess. However, little research on the subject would pass muster by the standards of applied psychology.
In the study presented here, we confirmed some widely held folk beliefs about passwords. However, we also observed a number of surprising phenomena that run counter to the established wisdom. Our study shows that the methods of applied psychology can bring new insights and solid results for security research and development.
Many of the deficiencies of password authentication systems arise from the limitations of human memory. If humans were not required to remember the password, a maximally secure textual password would be one with maximum entropy: it would consist of a string as long as the system allows, made up of characters selected from all those allowed by the system, and in a manner that provides no redundancy — that is, a totally random selection.
Each of these requirements is contrary to a well-known property of human memory: