Abstract
It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.
Original language | English |
---|---|
Title of host publication | Proceedings of the 27th USENIX Security Symposium |
Publisher | USENIX -The Advanced Computing Systems Association |
Pages | 221-238 |
ISBN (Electronic) | 978-1-931971-46-1 |
Publication status | Published - 2018 |
MoE publication type | A4 Conference publication |
Event | USENIX Security Symposium - Baltimore, United States Duration: 15 Aug 2018 → 17 Aug 2018 Conference number: 27 |
Conference
Conference | USENIX Security Symposium |
---|---|
Country/Territory | United States |
City | Baltimore |
Period | 15/08/2018 → 17/08/2018 |