Multi-cultural empirical study of password strength versus ergonomic utility

Abstract

This paper presents the findings of a principled, empirical study of password security. Security policies direct users to select long passwords having arcane collections of case, numerals, and special characters, and no whole words. Then users are told to change passwords often, never to reuse them, and not to record them: Requirement 1: Passwords must be impossible to remember. Requirement 2: Memorize all passwords. When faced with an inconvenient request for a new password, many people reflexively reuse existing passwords, or concoct minimally adequate, easily memorable passwords on-the-fly. In this study, volunteers access the project website to complete a demographic survey, and are asked to create passwords at various points. Later in the encounter, they are asked to reiterate these passwords. Password strength (as determined by an open-source application described in the paper) is correlated with password memorability (ergonomic utility) within the context of the collected demographic factors.