Forgetting of passwords: Ecological theory and data

Xianyi Gao; Yulong Yang; Can Liu; Christos Mitropoulos; Janne Lindqvist; Antti Oulasvirta

Forgetting of passwords: Ecological theory and data

Xianyi Gao, Yulong Yang, Can Liu, Christos Mitropoulos, Janne Lindqvist, Antti Oulasvirta

Engn - Elec & Computer Engn

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Scopus citations

Abstract

It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

Original language	English (US)
Title of host publication	Proceedings of the 27th USENIX Security Symposium
Publisher	USENIX Association
Pages	221-238
Number of pages	18
ISBN (Electronic)	9781939133045
State	Published - Jan 1 2018
Event	27th USENIX Security Symposium - Baltimore, United States Duration: Aug 15 2018 → Aug 17 2018

Publication series

Name	Proceedings of the 27th USENIX Security Symposium

Conference

Conference	27th USENIX Security Symposium
Country/Territory	United States
City	Baltimore
Period	8/15/18 → 8/17/18

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Cite this

@inproceedings{acd90f724cb84ec5843efda943d43dca,

title = "Forgetting of passwords: Ecological theory and data",

abstract = "It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.",

author = "Xianyi Gao and Yulong Yang and Can Liu and Christos Mitropoulos and Janne Lindqvist and Antti Oulasvirta",

year = "2018",

month = jan,

day = "1",

language = "English (US)",

series = "Proceedings of the 27th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "221--238",

booktitle = "Proceedings of the 27th USENIX Security Symposium",

note = "27th USENIX Security Symposium ; Conference date: 15-08-2018 Through 17-08-2018",

}

Forgetting of passwords : Ecological theory and data. / Gao, Xianyi; Yang, Yulong; Liu, Can; Mitropoulos, Christos; Lindqvist, Janne; Oulasvirta, Antti.

Proceedings of the 27th USENIX Security Symposium. USENIX Association, 2018. p. 221-238 (Proceedings of the 27th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Forgetting of passwords

T2 - 27th USENIX Security Symposium

AU - Gao, Xianyi

AU - Yang, Yulong

AU - Liu, Can

AU - Mitropoulos, Christos

AU - Lindqvist, Janne

AU - Oulasvirta, Antti

PY - 2018/1/1

Y1 - 2018/1/1

N2 - It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

AB - It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.

UR - http://www.scopus.com/inward/record.url?scp=85069878284&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069878284&partnerID=8YFLogxK

M3 - Conference contribution

T3 - Proceedings of the 27th USENIX Security Symposium

SP - 221

EP - 238

BT - Proceedings of the 27th USENIX Security Symposium

PB - USENIX Association

Y2 - 15 August 2018 through 17 August 2018

ER -

Forgetting of passwords: Ecological theory and data

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this