Abstract
It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 27th USENIX Security Symposium |
| Publisher | USENIX -The Advanced Computing Systems Association |
| Pages | 221-238 |
| ISBN (Electronic) | 978-1-931971-46-1 |
| Publication status | Published - 2018 |
| MoE publication type | A4 Conference publication |
| Event | USENIX Security Symposium - Baltimore, United States Duration: 15 Aug 2018 → 17 Aug 2018 Conference number: 27 |
Conference
| Conference | USENIX Security Symposium |
|---|---|
| Country/Territory | United States |
| City | Baltimore |
| Period | 15/08/2018 → 17/08/2018 |