Improving the security of multiple passwords through a greater understanding of the human memory

Abstract

Multiple passwords are an increasing security issue that will only get worse with time. One of the major factors that compromise multiple passwords is users’ memory, and the behaviors they adopt to compensate for its failures. Through studying memory elements that influence users’ password memorability, we may increase our understanding of the user and therefore make proposals to increase the security of the password authentication mechanism. This dissertation examines the human memory to understand password security behaviors; and moreover, develops new theories and revises prominent memory theories for the password context. This research employs memory theories to not only increase the memorability of passwords, but to also improve the security of them by means of three studies that examine users’ beliefs and awareness (metamemory) about how their memory affects their password memorability and insecure password behavior; and look to increasing password memorability through improving learning (repetition through verification), and retrieval (through uniqueness). Empirical longitudinal studies collecting objective and subjective data measuring password recall (over 10000 passwords), memory interference, memory performance, memory beliefs, user convenience, and insecure password behavior. Through collecting objective password recall data, the results of these studies challenge users’ preconceptions about justifying their adoption of insecure password behaviors. Furthermore, it challenges the assumption of trade-offs between password security, memorability and user convenience found in previous password research. In meeting the objectives of the dissertation, this research has significant practical implications for organizations and individual users. Through a greater understanding of the human memory this can inform users to adopt better password security practices. The implications of these results suggest how to increase password memorability, how to decrease password forgetting, and how to decrease insecure password behaviors and the consequences of such insecure behaviors (such as security breaches).