An empirical study of mnemonic sentence-based password generation strategies

Weining Yang, Ninghui Li, Omar Chowdhury, Aiping Xiong, Robert W. Proctor

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Mnemonic strategy has been recommended to help users generate secure and memorable passwords. We evaluated the security of 6 mnemonic strategy variants in a series of online studies involving 5, 484 participants. In addition to applying the standard method of using guess numbers or similar metrics to compare the generated passwords, we also measured the frequencies of the most commonly chosen sentences as well as the resulting passwords. While metrics similar to guess numbers suggested that all variants provided highly secure passwords, statistical metrics told a different story. In particular, differences in the exact instructions had a tremendous impact on the security level of the resulting passwords. We examined the mental workload and memorability of 2 mnemonic strategy variants in another online study with 752 participants. Although perceived workloads for the mnemonic strategy variants were higher than that for the control group where no strategy is required, no significant reduction in password recall after 1 week was obtained.

Original languageEnglish (US)
Title of host publicationCCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1216-1229
Number of pages14
ISBN (Electronic)9781450341394
DOIs
StatePublished - Oct 24 2016
Event23rd ACM Conference on Computer and Communications Security, CCS 2016 - Vienna, Austria
Duration: Oct 24 2016Oct 28 2016

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
Volume24-28-October-2016
ISSN (Print)1543-7221

Other

Other23rd ACM Conference on Computer and Communications Security, CCS 2016
CountryAustria
CityVienna
Period10/24/1610/28/16

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications

Cite this

Yang, W., Li, N., Chowdhury, O., Xiong, A., & Proctor, R. W. (2016). An empirical study of mnemonic sentence-based password generation strategies. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1216-1229). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978346
Yang, Weining ; Li, Ninghui ; Chowdhury, Omar ; Xiong, Aiping ; Proctor, Robert W. / An empirical study of mnemonic sentence-based password generation strategies. CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. pp. 1216-1229 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{3f34c6e90a1c43f689f8c536951993f1,
title = "An empirical study of mnemonic sentence-based password generation strategies",
abstract = "Mnemonic strategy has been recommended to help users generate secure and memorable passwords. We evaluated the security of 6 mnemonic strategy variants in a series of online studies involving 5, 484 participants. In addition to applying the standard method of using guess numbers or similar metrics to compare the generated passwords, we also measured the frequencies of the most commonly chosen sentences as well as the resulting passwords. While metrics similar to guess numbers suggested that all variants provided highly secure passwords, statistical metrics told a different story. In particular, differences in the exact instructions had a tremendous impact on the security level of the resulting passwords. We examined the mental workload and memorability of 2 mnemonic strategy variants in another online study with 752 participants. Although perceived workloads for the mnemonic strategy variants were higher than that for the control group where no strategy is required, no significant reduction in password recall after 1 week was obtained.",
author = "Weining Yang and Ninghui Li and Omar Chowdhury and Aiping Xiong and Proctor, {Robert W.}",
year = "2016",
month = "10",
day = "24",
doi = "10.1145/2976749.2978346",
language = "English (US)",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "1216--1229",
booktitle = "CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security",

}

Yang, W, Li, N, Chowdhury, O, Xiong, A & Proctor, RW 2016, An empirical study of mnemonic sentence-based password generation strategies. in CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 24-28-October-2016, Association for Computing Machinery, pp. 1216-1229, 23rd ACM Conference on Computer and Communications Security, CCS 2016, Vienna, Austria, 10/24/16. https://doi.org/10.1145/2976749.2978346

An empirical study of mnemonic sentence-based password generation strategies. / Yang, Weining; Li, Ninghui; Chowdhury, Omar; Xiong, Aiping; Proctor, Robert W.

CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2016. p. 1216-1229 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 24-28-October-2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - An empirical study of mnemonic sentence-based password generation strategies

AU - Yang, Weining

AU - Li, Ninghui

AU - Chowdhury, Omar

AU - Xiong, Aiping

AU - Proctor, Robert W.

PY - 2016/10/24

Y1 - 2016/10/24

N2 - Mnemonic strategy has been recommended to help users generate secure and memorable passwords. We evaluated the security of 6 mnemonic strategy variants in a series of online studies involving 5, 484 participants. In addition to applying the standard method of using guess numbers or similar metrics to compare the generated passwords, we also measured the frequencies of the most commonly chosen sentences as well as the resulting passwords. While metrics similar to guess numbers suggested that all variants provided highly secure passwords, statistical metrics told a different story. In particular, differences in the exact instructions had a tremendous impact on the security level of the resulting passwords. We examined the mental workload and memorability of 2 mnemonic strategy variants in another online study with 752 participants. Although perceived workloads for the mnemonic strategy variants were higher than that for the control group where no strategy is required, no significant reduction in password recall after 1 week was obtained.

AB - Mnemonic strategy has been recommended to help users generate secure and memorable passwords. We evaluated the security of 6 mnemonic strategy variants in a series of online studies involving 5, 484 participants. In addition to applying the standard method of using guess numbers or similar metrics to compare the generated passwords, we also measured the frequencies of the most commonly chosen sentences as well as the resulting passwords. While metrics similar to guess numbers suggested that all variants provided highly secure passwords, statistical metrics told a different story. In particular, differences in the exact instructions had a tremendous impact on the security level of the resulting passwords. We examined the mental workload and memorability of 2 mnemonic strategy variants in another online study with 752 participants. Although perceived workloads for the mnemonic strategy variants were higher than that for the control group where no strategy is required, no significant reduction in password recall after 1 week was obtained.

UR - http://www.scopus.com/inward/record.url?scp=84995468059&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84995468059&partnerID=8YFLogxK

U2 - 10.1145/2976749.2978346

DO - 10.1145/2976749.2978346

M3 - Conference contribution

AN - SCOPUS:84995468059

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1216

EP - 1229

BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -

Yang W, Li N, Chowdhury O, Xiong A, Proctor RW. An empirical study of mnemonic sentence-based password generation strategies. In CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2016. p. 1216-1229. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/2976749.2978346