Human factors in textual password-based authentication

Despite being the most commonly used method of authentication on the Web, textual password-based authentication is by no means a panacea as long as usability is concerned. In this dissertation work, we address some usability issues of textual password-based authentication and propose solutions to them. In our first work, we examine the problem of multiple password management and identify the mental model of users for managing multiple password-protected accounts. We propose a hierarchy of password importance and use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. Leveraging the lower-level passwords constructed by subjects along with a password-cracking dictionary, we successfully cracked almost one-third of the subjects' higher-level passwords. This confirms that leaked lower-level passwords can be used by attackers to crack higher-level passwords.;In our second work, we examine the issue of textual password entry on mobile devices which is fraught with usability problems due to size and input constraints of mobile devices. We examine the association between password strengths and the keyboard/keypad layouts through which they are constructed, including computer keyboard and different types of mobile keypad layouts. We design a custom mobile keypad layout and demonstrate its effectiveness through extensive user studies.;Our third work focuses on measuring user comfort when constructing a strong password by using mobile devices. Since comfort is a basic construct for understanding usability, measuring user comfort in a security context is an issue of paramount importance. We solve this issue by applying standard techniques of psychometrics to develop a user comfort scale. We establish the essential psychometric properties (reliability and validity) of this scale and demonstrate how the scale can be used to profile password construction interfaces of popular smartphone handsets. We also theoretically conceptualize user comfort across different dimensions and use confirmatory factor analysis to verify our theory.;All these works reveal the weaknesses of user-chosen textual passwords. Thus, in our final work, we focus on system-assigned textual password consisting of lowercase letters only, in which the system randomly generates a sequence of lowercase letters for a user to be used as her password. It guards against a wide range of usability issues, but introduces memorability problem, which hinders its wide-scale deployment in real world. In our final work, we propose two methods to leverage different types of human memory and aid the users in memorizing system-assigned random passwords in an effective way. The first method (known as the method of loci or the memory palace method) exploits the spatial and the visual memory to help memorizing a list of ordered items. The second method (known as the link method or story method), on the other hand, facilitates the memorization process by creating a chain of memory cues. We implemented both of the methods in the context of memorizing system-assigned random textual passwords and conducted a two-part memorability study to test their effectiveness. We found that participants using the method of loci had a login success rate of 86% within three attempts, which is highest for any recall-based study with system-assigned random passwords. By extending the method of loci, we further conducted a separate study to test its effectiveness in helping users to memorize long passwords that offer almost crypto-level security. The results of this study demonstrate that the method of loci can be leveraged to help users memorize cryptographically-strong passwords, without relaxing the time constraint to learn the password too much.