|
|
|
|
|
Insights from Human Factors International
|
 |
|
In This Issue:
|
|
Cracking Password Usability... Exploiting
human memory to create secure and memorable passwords
|
|
Kath Straub, Ph.D., CUA, Chief Scientist of HFI, discusses a novel
approach to password creation.
|

|
|
| |
|
|
The Pragmatic Ergonomist
|
Dr. Eric Schaffer, Ph.D., CPE, founder and CEO of HFI offers practical
advice.
|
| |
| |
|
|
What do YOU remember from high school?
|
"King Peter came over from Germany streaking."
Do you remember that one from high school biology? It
is the memory aid (or "mnemonic device") that students use to
remember the levels and order of the phylogenic chain:
| |
King
|
>
|
Kingdom
|
|
| |
Peter
|
>
|
phylum
|
|
| |
came
|
>
|
class
|
|
| |
over
|
>
|
order
|
|
| |
from
|
>
|
family
|
|
| |
Germany
|
>
|
genus
|
|
| |
streaking
|
>
|
species
|
|
Sure, it takes a little effort to map from the word string to the levels.
In my mind it sounds something like this:
"King Peter came over from
Germany streaking...
kingdom, phylum... ummm...
King Peter came over...
kingdom, phylum, class, order... ummm...
King Peter came over from Germany...".
However, despite the extra effort, the sentence makes it possible to
accurately recall the string even many years later. It improves remembering
by providing mental triggers for both the words (based on the first letters),
and their order (based on the sentence itself).
There is substantial literature demonstrating that memorizing a string
of words that makes up complete concepts or ideas (what Peter was doing)
is easier to remember than an unrelated list of words. Further, the more
vivid the sentence (The King is streaking!), the easier it is to remember.
|
 |
|
Xena01
Bess99
|
Keeping track of passwords is a challenge that we all face. Ideally,
the passwords that we use should be both secure and memorable. But there
is a constant tension between the security and the usability of the passwords
in password selection.
When users select their own passwords, they choose strings that are easy
to remember. "Password" is the most common password. Self-selected
passwords are typically words, names, or very familiar numbers. They are
predictable: kid's names, pet names (Xena & Bess are my dogs). When
the systems administrator insists we add a number, we typically append
this year or the birth year (Xena is 3 years old, Bess is 5). When forced
to change passwords monthly, users often use the number of the month,
to maintain the hope that they will remember the password. It doesn't
help that we all have a dozen or more separate passwords. And it's not
surprising that these self-generated passwords are easy to crack.
|
 |
|
Secure and memorable. Pick 1.
|
Frustrated systems administrators attempt to sidestep this security problem
by generating passwords for users. To the sysadmin the highest ranked
constraint for good passwords is security, not memorability. Sysadmin
generated passwords are usually:
- the longest string they think they can get away with,
- consisting of non-redundant strings of random alphanumeric characters,
- and include special characters.
These passwords are secure, but they're impossible to remember. They
are difficult to remember because there are limits to human memory. Humans
are better at remembering shorter, nonrandom strings that are meaningful.
We do better with redundancy.
Despite their best efforts, the "secure" passwords aren't really
secure because of how users end up coping with these impossible strings.
We write them down. We store them in a file on the computer. Or –
worst of all – we let Microsoft memorize them. Kind of defeats the
goal of the random string.
|
 |
|
Yes, Toto, there can be secure AND memorable passwords...
|
Yan, Blackwell, Anderson, and Grant (2000) report a set of pilot experiments
suggesting that secure and memorable passwords do not have to be painful.
Their passwords, or "passphrases", leverage on the same memory
device as the King Peter sentence.
In their study, they explored both the memorability and crackability
of passwords. They started by randomly dividing 288 incoming college freshmen
to one of three password groups:
Control Group: Students selected their own password
based on the instructions "Your password should be at least seven
characters long and contain at least one non-letter".
Random String Group: Students created random 8 character
alphanumeric passwords.
Passphrase Group: Students were instructed to create
a 7- or 8-character password by thinking up a "simple sentence of
8 words and choose letters from the words to make up a password. You might
take the initial or final letters; you should put some letters in upper
case to make the password harder to guess; and at least one number and/or
special character should be inserted as well."
One month after students selected their passwords, the researchers captured
the password files of the participating students and evaluated them for
crackability. They used four separate algorithms to crack the passwords
that were 7 letters and longer:
- Simple Dictionary Attack – try all words in multiple dictionary
files
- Permutations – try all 1, 2, and 3 alphanumeric digit permutation
of words in dictionary files
- Simple Letter-Number Replacements – try replacing letters with
similar looking numbers (e.g., S with 5 or L with 1)
- Brute Force Attack – test all permutations of strings 6 characters
or less
All passwords 6 characters or less were cracked with brute force attacks.
For longer strings, both the random string
group and the passphrase group were significantly harder to crack than
the control group. (In reality the passwords in the random character and
passphrase groups that were cracked were neither random words nor passphrases.
They were actually words or permutations of words. Participants had simply
not complied with the experimental instructions.)
Noncompliance aside, the passphrases seemed to be as secure as the randomly
selected strings. But were they memorable?
|
 |
|
Cognitive Psychology to the rescue
|
Yan and colleagues also conducted a brief post hoc survey in which they
asked participants how easy it was to memorize their password on a scale
of Trivial (1) to Impossible (5).
Participants in the Random String group rated their passwords significantly
harder than either the Passphrase group or the Control group. There was
no reliable difference between the memorability of the Passphrase passwords
and the Control Group passwords.
So the passphrases were as easy to remember as well.
Yan and colleagues reported challenges in getting all users to really
follow the instructions. But the improvement overall is clear. Perhaps
creating simple usable instructions with clear examples could increase
compliance.
This study is important for several reasons. In the ruthlessly pragmatic
sense, it demonstrates that passwords don't have to be impossible to remember
to be secure. In fact, the passphrase instructions used in this experiment
could be improved even more. Users could be guided to select a sentence
that naturally contains both numbers and mixed case. For example, the
sentence, "The area code for Mumbai is +91" > TacfMi+91.
Painless alphanumeric mixed case including special characters.
In the larger sense, this study demonstrates that understanding the subtleties
of what is easy and hard for humans – how the mind works –
is key to designing things that are easy to use.
|
| |
|
| |
|
|
|
This is a nice way to prompt users to create memorable and secure passwords.
But I have two concerns.
First, I can't forget observing at a banking call center and noticing
fully 70% of the calls were about passwords that did not work. Almost
ALL of these were because the Caps Lock was set. Making passwords case
sensitive is expensive. Don't do that again.
Second, the password problem is no longer an issue of a single password.
I suspect a single user may need passwords for many dozens of sites, applications,
and facilities. A single bank account can require up to 3 different passwords!
(ATM Pin, Voice Response PIN, and Web Password). Do they use the same
password throughout? (A huge security risk.) I think we need to look at
this problem more globally.
|
 |
|
References
|
J. Yan, A. Blackwell, R. Anderson and A. Grant. The
Memorability and Security of Passwords – Some Empirical Results.
Technical Report No. 500, Computer Laboratory, University of Cambridge,
2000.
|
| |
|
|
Jim Lutterbach, PE
RW Armstrong
|
A lot of money will go to the persons who can solve this problem.
|
|
|
|
Jack Grimes
GimesOnline.com
|
"Secure and memorable. Pick 1." is not right....
There is a better and secure way to create a password. It depends not
just upon your ability to remember strings, but rather depends on the
ability to construct a string.
Take a date, like your birthdate 2-16-62
And a name, like your mom's name - mary
The secure, constructible password is the alternation of characters from
these two strings.
2m1a6r6y2
It can't be guessed and is not subject to a dictionary attack.
I learned this from some security folks in a long forgotten article.
|
|
|
|
Past Issues
|
|