Too many passwords? : How understanding our memory can increase password memorability

Abstract

Passwords are the most common authentication mechanism, that are only increasing with time. Previous research suggests that users cannot remember multiple passwords. Therefore, users adopt insecure password practices, such as password reuse in response to their perceived memory limitations. The critical question not currently examined is whether users’ memory capabilities for password recall are actually related to having a poor memory. This issue is imperative: if insecure password practices result from having a poor memory, then future password research and practice should focus on increasing the memorability of passwords. If, on the other hand, the problem is not solely related to memory performance, but to users’ inaccurate perception of their memory, then future research needs to examine why this is the case and how such false perception can be improved. In this paper we examined this conundrum by contextualizing the memory theory of metamemory, to the password security context. We argue, based on our contextualized metamemory theory, that the recall of multiple passwords is not related to users’ memory capabilities, and therefore users are able to actually remember more passwords than they think. Instead, we argue that users’ perceptions of their memories abilities, in terms of password memory capacity; perceived control over their memory; motivation to remember; and their understanding of their memory, explains why users cannot remember their passwords. We tested our contextualized metamemory theory in the password security context through a longitudinal experiment, examining over 3500 passwords. The results suggest that our contextualized metamemory theory, rather than the general metamemory theory explains password recall. This study has important implications for research in password security, and practice.