TY - GEN
T1 - Forgetting of passwords
T2 - 27th USENIX Security Symposium
AU - Gao, Xianyi
AU - Yang, Yulong
AU - Liu, Can
AU - Mitropoulos, Christos
AU - Lindqvist, Janne
AU - Oulasvirta, Antti
PY - 2018/1/1
Y1 - 2018/1/1
N2 - It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.
AB - It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where frequency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.
UR - http://www.scopus.com/inward/record.url?scp=85069878284&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85069878284&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 221
EP - 238
BT - Proceedings of the 27th USENIX Security Symposium
PB - USENIX Association
Y2 - 15 August 2018 through 17 August 2018
ER -