Internet users maintain an average of 25 accounts that require passwords. Good passwords are hard to remember, so to cope with the increasing number of passwords they are expected to remember people tend to reuse them. Is there any truth behind the assumption that passwords that are hard to guess are hard to remember? This study addresses this assumption by physiologically measuring the extent to which the perception of password memorability is in conflict with “password strength”.
Alomari et al. compared passwords perceptions with electroencephalogram (ECG) data, which records brain activity. They presented their 77 study participants with different passwords, asking them to rank their memorability. The brain activity data, recorded through a wireless headband, was combined with the reported ease of recall. This was then used to classify passwords and predict what would be perceived as more or less memorable. The authors also investigated password recall using brain activity data, asking participants to memorize two passwords for a period of 8 to 10 days. Participants were also asked to describe which characteristics make passwords more memorable.
The study consisted of three parts:
Recall prediction: Participants were asked to recall two algorithmically generated passwords based on seed words they provided. Participants were tested three times: on the first, second, and eighth days of the study.
Perception of memorability: Participants were asked to rank the memorability of 15 blocks of five real passwords extracted from password leaks. All passwords were 12 characters long and were evaluated and ranked by a strength estimator program.
A Survey: Participants were asked what makes a password more or less memorable.
The electroencephalogram test results were linked to how hard people thought passwords would be to remember. Password recall was successfully linked to brain activity data with an average accuracy of 81 percent on the first-day session. Predicting recall over longer periods of time appeared to be challenging, with poor performance on days 2 and 8. Password characteristics had a notable effect on how participants perceived their memorability. Passwords consisting of dictionary words, patterns, or phrases were perceived as more memorable, whereas passwords consisting of names or random letters and numbers were perceived as less memorable. Interestingly, password length was not a concern for memorability. The responses about what made a password memorable were generally consistent with the rankings of password memorability during the experiment.
People seem to know if a password will be easy to remember and consequently can make decisions based on that information. The characteristics of passwords and their strength had a substantial effect on the perception of memorability, even when participants had no information as to how strong the passwords actually were. This provides firm support that passwords that seem easier to remember, such as those containing words, are actually easier to remember than those containing random strings of characters; which can impact the utility of chosen paswords.
Passwords that seem easy to forget, are probably actually more forgettable.