Imposing Password Restrictions for Multiple Accounts: Impact on Generation and Recall of Passwords

Abstract

The most commonly used method of identification and authentication for many Web sites is username-password combinations. However, this is a notoriously weak security method because users tend to generate passwords that are easy to remember but also easy to crack. The method of proactive password checking has been proposed to improve security at little cost to memorability, because it allows users to generate their passwords but imposes restrictions to make the passwords more resistant to cracking. The present study evaluated the time and accuracy needed to generate unique passwords that satisfy different restrictions for multiple accounts, as well as the time and accuracy at recalling these passwords. Results showed that password restrictions do not necessarily improve the security of the password generated by users by making them more resistant to cracking because cracking software have become increasingly sophisticated. Although users show good recall of unique passwords generated with restrictions for multiple accounts when the number of accounts is small, the memorability for the multiple passwords decreases as the number of possible accounts increases. One way to improve the memorability of passwords for multiple accounts is to have users generate them several times, at different points of time, prior to allowing them to exit the system.