Minimal-feedback hints for remembering passwords

Abstract

Computer Science, Roskilde University, Roskilde, Denmark Phone: +45 4677 3077, email: mhz@ruc.dk Passwords are a widely used mechanism for user authentication and thus critical to the security of many systems. To provide effective security, passwords should be known to the password holder but remain unknown to everybody else. While personal information and real words are relatively easy for a user to remember they make weak passwords from a security point of view because they are vulnerable to informed guessing and dictionary attacks. Strong passwords (e.g., b5j#Kv!8N) are less vulnerable to attack but at the same time more difficult to remember. However, the sheer number of passwords people must have to accomplish their day-to-day activities exceeds most humans’ capacity for remembering meaningless strings of characters [1]. Most users handle the ensuing conflict between security and ease of use by choosing passwords that are easy to remember, writing down their passwords, using the same password for multiple systems, or in other ways giving ease of use priority over security. Minimal-feedback hints are introduced to support users in remembering their passwords and thereby enable them to choose stronger passwords. Whereas most password mechanisms leave it entirely to users to be able to remember their passwords, minimal-feedback hints aid users’ memory by providing them with a couple of the password characters when prompted for their password, see Figure 1. Minimal-feedback hints were first suggested by Lu and Twidale [3] with the thinking that “a few carefully revealed hints will jog an authorized user’s memory, but will be of insufficient help to an unauthorized user who does not know the password in the first place”.