A system-generated password and mnemonic approach to optimize the security and usability of text-based passwords

In this study a novel password generation policy called the system-generated password and mnemonic was designed and implemented. The intent of this policy was to optimize both the security and usability of text-based passwords. After implementing the policy we evaluated its usability and compared it with three other existing policies: user-generated password, system-generated password and user-generated mnemonic for a system-generated password. In order to have a fair comparison among the policies we maintained a constant level of security of 30+/-2 entropy as dictated by NIST level 2 standards.;The study involved 64 participants, equally divided into four groups, 16 in each password policy condition. The study took place over two sessions, with a period of 5--7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5--7 days in the second session. The four password policy conditions were compared with respect to the following dependent variables: the time taken to create the password account, the password creation error rate, the time taken to recall and recall error rates for both sessions, unrecoverable passwords in the second session, proximity of the recalled password to the stored password as measured by the Damerau-Levenshtein and Jaro-Winkler edit distances; and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire.;There was a significant effect of password policy condition on the time taken to create a password account and for the performance index of the NASA-TLX questionnaire. Across the task sessions, there were statistically significant differences for the time taken to recall the password, recall error rates, the performance index of the NASA-TLX questionnaire and the SUS score. There were no significant differences for creation error rates, creation SUS, recall error rates and unrecoverable passwords among the password policy conditions.;The results of this study suggest that overall performance was better for the user-generated policies (user-generated password and system-generated password along with a user-generated mnemonic) than for the system-generated policies (system-generated password and system-generated password and mnemonic). One of the reasons for this result might be that the direct involvement of the user in generating the password or mnemonic enhances their memorability. Other reasons mentioned by the users were that the system-generated mnemonic policy was complex and employed difficult words which were difficult to memorize and thus recollect. As a result of conducting this experiment it is concluded that user-generated policies are better in terms of usability and memorability than system-generated passwords. However, the user feedback recorded in this study suggests a number of approaches for improving the usability of system-generated password policies.