Computer Laboratory

Technical reports

The memorability and security of passwords – some empirical results

Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant

September 2000, 13 pages

Abstract

There are many things that are ‘well known’ about passwords, such as that uers can’t remember strong passwords and that the passwords they can remember are easy to guess. However, there seems to be a distinct lack of research on the subject that would pass muster by the standards of applied psychology.

Here we report a controlled trial in which, of four sample groups of about 100 first-year students, three were recruited to a formal experiment and of these two were given specific advice about password selection. The incidence of weak passwords was determined by cracking the password file, and the number of password resets was measured from system logs. We observed a number of phenomena which run counter to the established wisdom. For example, passwords based on mnemonic phrases are just as hard to crack as random passwords yet just as easy to remember as naive user selections.

Full text

PDF (0.2 MB)

BibTeX record

@TechReport{UCAM-CL-TR-500,
  author =	 {Yan, Jianxin and Blackwell, Alan and Anderson, Ross and
          	  Grant, Alasdair},
  title = 	 {{The memorability and security of passwords -- some
         	   empirical results}},
  year = 	 2000,
  month = 	 sep,
  url = 	 {http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf},
  institution =  {University of Cambridge, Computer Laboratory},
  number = 	 {UCAM-CL-TR-500}
}