"Access control based on the verification of a person's identity is commonly used in information system/computer installations. The most widely used mechanism for access control to information systems is passwords. Passwords can be machine-generated using a list of words stored in a memory bank, machine-generated using a sophisticated algorithm to create a pseudo-random combination of characters or they can be user-generated. User-generated passwords typically take on the characteristics of some type of meaningful detail that is simple in structure and easy to remember Memorability and security pose a difficult trade-off in password generation. On one hand a system security administrator wants passwords that are unpredictable, frequently changed and provide the greatest degree of system security achievable. Users, on the other hand, want passwords that are simple and easy to remember. If passwords are chosen to make them difficult to guess, they may become difficult to remember. When they become difficult to remember they are likely to be written down. Once written down a compromise to security occurs because users tend to store them in insecure places. This thesis looks at user-generated password characteristics. Of particular interest is how password selection, memorability and predictability are affected by the number of characters in a password, the importance and sensitivity of a users data. a users work location, how a password was chosen, the frequency of changing a password and the frequency of logging on to a system with a password."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/