Password Recall Following Employment of a Story-Based Mnemonic Strategy

Abstract

The password creation and management process presents a problem for users as secure passwords are not often very memorable, and memorable passwords are rarely secure (Adams & Sasse, 1999). Given that passwords are currently the dominant authentication method and that this situation is unlikely to change in the near future, it is imperative to continue to investigate the most effective password behaviors. Researchers have suggested that encouraging users to create passwords based on stories can be an effective method to improve password recall (Blocki, Komanduri, Cranor, & Datta, 2015). The Person-Action-Object (PAO) strategy has users create a password string based on a person they select from a predetermined list, which is later paired with an action and an object. Users are asked to imagine the person acting upon said object in a certain context. For instance, a user may imagine Darth Vader (person) bribing (action) a roach (object) among lily pads. The PAO method can help users circumvent much of the forgetting that happens soon after encoding a password. It has separately been suggested that processing pieces of information based on their relevance to one’s own fitness and survival can be the most advantageous type of processing for human memory (Nairne & Pandeirada, 2008; Nairne, Thompson, & Pandeirada, 2007). When paired against some of the most successful classic encoding techniques, processing information in regard to one’s survival has been demonstrated to be more effective (Nairne et al., 2007). The benefit provided by encoding items based on the survival-related context in comparison to similarly vivid contexts has come to be known as the survival processing advantage. Though the survival processing advantage has been found consistently across many memory studies, this advantage has not yet been studied in the context of improving memory for passwords. The present study is one of the first attempts aimed at applying what has been posed as a stone-age memory adaptation to modern-day cyber security issues. Participants were recruited from a university introductory psychology subject pool and participated in a two-part study in exchange for course credit. They were given instructions on how to use the PAO method and randomly assigned to one of two password generation conditions (i.e., vacation or survival). Depending on the context, participants were to imagine their selected person acting upon an item to ensure a successful vacation or their survival in a foreign land. The participants entered the passwords they generated into a simulated shopping website. Participants recalled their passwords after 2-min and 7-day delays. The present study found support for the PAO strategy, but did not find any systematic differences between the survival and vacation encoding conditions aimed at investigating a survival advantage beyond using the PAO strategy. In general, recall accuracy rates were very high across conditions. All participants either remembered their passwords without any mistakes or recalled almost the entirety of their passwords with relatively minor mistakes. The plausibility of implementing the PAO strategy in everyday life is further supported by subjective reports obtained on ease of recall and accuracy ratings. The manner in which participants misremembered their passwords was also systematic (e.g., mistaking the tense of the word “cook”), suggesting that additional training may be effective. Beyond the support obtained for the use of PAO strategies, there were no differences found between the control (vacation) and survival conditions. Given the robust nature of the survival processing advantage in the literature, however, it seems unlikely that it would not apply in the cybersecurity domain. Instead, the PAO strategy itself may have been sufficiently effective to produce ceiling effects that did not allow for the detection of any advantage for the survival processing condition.