University of Jyväskylä

Dissertation: 26.11.2016 Improving the Security of Multiple Passwords Through a Greater Understanding of the Human Memory (Woods)

Start date: Nov 26, 2016 12:00 PM

End date: Nov 26, 2016 03:00 PM

Location: Mattilanniemi, Agora Aud3

M.Sc. Naomi Woods defends her doctoral dissertation in Cognitive science “Improving the Security of Multiple Passwords Through a Greater Understanding of the Human Memory”. Opponent Associate Professor Miguel Gea (University of Granada, Spain) and custos Professor Pertti Saariluoma (University of Jyväskylä).

Passwords are an ever-growing problem for users. The more online services we use, the more accounts we collect, and the more passwords we have to create, learn and remember. And even though there seem to be alternatives being introduced, such as biometrics; either the technology is not sophisticated enough yet, or it is too expensive to use. Either way, while passwords are the back-up plan for when these alternatives fail, passwords are certainly not going anywhere for the foreseeable future.

Too many passwords lead many users to adopt memory strategies to cope with memory limitations. Memory strategies in every other part of our lives are useful, like shopping lists – we write down what we need to remember. But when it comes to passwords, the majority of memory techniques cannot be used as they are a security risk. Users also try other techniques, like reusing passwords, which are also a security risk. Many users will create weak passwords, using personal information, and choose the bare minimum of complexity so they can remember their passwords better.

In her dissertation, Naomi Woods examined the human memory to explain why users find it difficult to remember their passwords, and suggests ways that are not obvious to many users in which to make passwords more memorable.

Woods conducted several experiments and found firstly that how good users’ memories are, are not related to how well they remember your passwords. Secondly, small increases of repetition through password verification can increase password memorability, while not inconveniencing the user. Thirdly, having unique passwords for every account is more memorable than reusing or modifying passwords; and it is more secure.

Woods’ research suggests through understanding the human memory better, passwords can be made more memorable while not compromising security.


Background information:

Naomi Woods, naomi.woods@jyu.fi, 040 805 4417
Communications Intern Katja Ketola, tiedotus@jyu.fi, puh. 040 805 3638

Naomi Woods has graduated as MSc. in Clinical Psychology from the University of Wales, Bangor and BSc. (Hons.) in Psychology from the University of Westminster, London. She is currently working as Doctoral Researcher in Information Security Management.

The dissertation is published in the series Jyväskylä Studies in Computing, number 249, 151 p., Jyväskylä 2016, ISSN: 1456-5390; 249, ISBN: 78-951-39-6846-5. Read at JYX-portal: http://urn.fi/URN:ISBN:978-951-39-6846-5

 

Abstract

Multiple passwords are an increasing security issue that will only get worse with time. One of the major factors that compromise multiple passwords is users’ memory, and the behaviors they adopt to compensate for its failures. Through studying memory elements that influence users’ password memorability, we may increase our understanding of the user and therefore make proposals to increase the security of the password authentication mechanism. This dissertation examines the human memory to understand password security behaviors; and moreover, develops new theories and revises prominent memory theories for the password context. This research employs memory theories to not only increase the memorability of passwords, but to also improve the security of them by means of three studies that examine users’ beliefs and awareness (metamemory) about how their memory affects their password memorability and insecure password behavior; and look to increasing password memorability through improving learning (repetition through verification), and retrieval (through uniqueness). Empirical longitudinal studies collecting objective and subjective data measuring password recall (over 10000 passwords), memory interference, memory performance, memory beliefs, user convenience, and insecure password behavior.  Through collecting objective password recall data, the results of these studies challenge users’ preconceptions about justifying their adoption of insecure password behaviors. Furthermore, it challenges the assumption of trade-offs between password security, memorability and user convenience found in previous password research. In meeting the objectives of the dissertation, this research has significant practical implications for organizations and individual users. Through a greater understanding of the human memory this can inform users to adopt better password security practices. The implications of these results suggest how to increase password memorability, how to decrease password forgetting, and how to decrease insecure password behaviors and the consequences of such insecure behaviors (such as security breaches).

More information

Naomi Woods
naomi.woods@jyu.fi