Password psychology
Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.
In order for a password to work successfully and provide security to its user, it must be kept secret and un-guessable; this also requires the user to memorize their password. The psychology behind choosing a password is a unique balance between memorization, security and convenience. Password security involves many psychological and social issues including; whether or not to share a password, the feeling of security, and the eventual choice of whether or not to change a password. Passwords may also be reflective of personality. Those who are more uptight or security-oriented may choose longer or more complicated passwords. Those who are lax or who feel more secure in their everyday lives may never change their password.[1] The most common password is Password1, which may point to convenience over security as the main concern for internet users.[2] [3]
History
The use and memorization of both nonsense and meaningful alphanumeric material has had a long history in psychology beginning with Hermann Ebbinghaus. Since then, numerous studies have established that not only are both meaningful and nonsense “words” easily forgotten, but that both their forgetting curves are exponential with time.[4] Chomsky advocates meaning as arising from semantic features, leading to the idea of “concept formation” in the 1930s.[5]
Current research
Research is being done to find new ways of enhancing and creating new techniques for cognitive ability and memorization when it comes to password selection.[6] A study from 2004 indicates that the typical college student creates about 4 different passwords for use with about 8 different items, such as computers, cell phones, and email accounts, and the typical password is used for about two items.[7] The information about type of passwords points to an approximate even split between linguistic and numeric passwords with about a quarter using mix of linguistic/numeric information. Names (proper, nicknames) are the most common information used for passwords, with dates second.[8] Research is also being done regarding the effect of policies that force users to create more secure and effective passwords.[9] The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, such a policy did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.[10]
Memorization problems
Password psychology is directly linked to memorization and the use of mnemonics. Mnemonics devices are often used as passwords but many choose to use simpler passwords. It has been shown that Mnemonic devices and simple passwords are equally easy to remember and that the choice of convenience plays a key role in password creation.[11]
Password alternatives
In order to address the issues presented by memorization and security many businesses and internet sites have turned to accepting different types of authentication. This authentication could be a single use password, non-text based, Biometric, a 2D key, or Cognitive Passwords that are question based. Many of these options are more expensive, time consuming or still require some form of memorization. Thus, most businesses and individuals still use the common format of single word and text-based passwords as security protection.
References
- Info Security; The contradictions of password psychology 22 February 2012 Copy Right Reed Exhibitions http://www.infosecurity-magazine.com/view/24057/the-contradictions-of-password-psychology/
- Cowley, Stacy. "If You're Using 'Password1,' Change It. Now." CNNMoney. Cable News Network, 01 Mar. 2012. Web. 23 Mar. 2012. http://money.cnn.com/2012/03/01/technology/password_security/index.htm
- https://haveibeenpwned.com/Passwords
- OSTOJIC, P. P., & PHILLIPS, J. G. (2009). MEMORABILITY OF ALTERNATIVE PASSWORD SYSTEMS. International Journal of Pattern Recognition & Artificial Intelligence, 23(5), 987-1004
- OSTOJIC, P. P., & PHILLIPS, J. G. (2009). MEMORABILITY OF ALTERNATIVE PASSWORD SYSTEMS. International Journal of Pattern Recognition & Artificial Intelligence, 23(5), 987-1004
- Nelson, D., vu K. L. (2010). Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. Computers In Human Behavior, 26(4), 705-715. Doi:10.1016/chb2010.01.007
- Brown, Alan S.; al, et. (2004), "Generating and Remembering Passwords", Applied Cognitive Psychology 18 (6): 641–651
- Brown, Alan S.; al, et. (2004), "Generating and Remembering Passwords", Applied Cognitive Psychology 18 (6): 641–651
- Campbell J, Ma W, Kleeman D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology [serial online]. May 2011;30(3):379-388.
- Campbell J, Ma W, Kleeman D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology [serial online]. May 2011;30(3):379-388
- Yan, Jeff, Alan Blackwell, Ross Anderson, and Alasdair Grant. IEEE SECURITY & PRIVACY. THE IEEE COMPUTER SOCIETY, Sept. 2004. Web. "Archived copy" (PDF). Archived from the original (PDF) on 2012-04-14. Retrieved 2016-02-05.CS1 maint: archived copy as title (link)