Balancing Complexity and Memorability when Choosing a Password

Can you remember all of your passwords? If all else fails and you forget one, is one of the backup questions as simple as your mother’s maiden name? Many internet users struggle to find a balance between maintaining complex (thus secure) passwords and the ability to consistently remember them. Currently, identity theft and cyber security issues pose a dilemma: is it more important to have a secure password, or one that can be easily recalled?

A team of researchers at Google has found that this dilemma is especially present with “personal knowledge questions,” which are used as a secondary form of account security when users forget their passwords. The team presented their study Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google at the 24th International World Wide Web Conference. The report analyzes data from users with passwords from nine different languages (English, German, Russian, Portuguese, Spanish, Arabic, Korean, Chinese, and French) across multiple countries.

Some of the key findings below may inspire you to reconsider the reliability of your current passwords:

  • The use of simple password questions, such as “What is your favorite food?” creates an overlap where multiple users share a common answer. The study found that nearly 20% of English speaking users entered the same food as an answer to this question. The report did not distinguish which food was used, but if you have an account with “pizza” as an answer, it might be wise to find a new obscure favorite food. Similar results were found for “favorite superhero.”
  • Intuitively, answers become more difficult to remember as the questions get more complex. The ability to recall a father’s middle name was 76%, whereas a frequent flyer number was 9%.
  • Answers requiring names and concepts withstand the test of time stronger than those with numbers. The ability to remember a father’s middle name decreased only 6% over time, whereas remembering a frequent flyer number decreased by 18%.
  • The study cites a source that was able to find 16% of answers to password questions on users’ social media pages, regardless of the account’s security settings. This may discourage users from choosing generic questions, such as “What was your High School Mascot?” A different 2009 study was able to “extract answers to personal knowledge questions from 92% of users via email phishing.”
  • In order to circumvent susceptibility to being hacked, users often falsify the answers to their password questions. While this seems like a safe idea, it substantially decreases the user’s ability to recall the password. The study cites data that users who answered a question involving a phone number with six digits recalled the number 18% of the time as opposed to 55% for users that used the full 7 digits.

Additional documents available at the Homeland Security Digital Library (some may require HSDL login) include:

Password Security, Protection, and Management – U.S. Computer Emergency Readiness Team, Standard Automatic Password Generator – National Institute of Standards and Technology, and National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security and Privacy – The White House.

 

Article formerly posted at https://www.hsdl.org/blog/newpost/view/balancing-complexity-and-memorability-when-choosing-a-password