A behavioral analysis of passphrase design and effectiveness

Journal of the Association for Information Systems

Volumn 10, Issue 2, 2009, Pages 63-90

  Keith, Mark ^a   Shao, Benjamin ^a   Steinbart, Paul ^a  

^a ARIZONA STATE UNIVERSITY   (United States)

Author keywords

Authentication; Memory; Passphrases; Passwords; Security; Usability; User behavior

Indexed keywords

BEHAVIORAL RESEARCH; DATA STORAGE EQUIPMENT; SECURITY SYSTEMS;

PASSPHRASES; PASSWORDS; SECURITY; USABILITY; USER BEHAVIORS;

AUTHENTICATION;

EID: 70749087044     PISSN: None     EISSN: 15369323     Source Type: Journal    
DOI: 10.17705/1jais.00184     Document Type: Article

References (63)

1. Adams, D. A., Nelson, R. R., and Todd, P. A. "Perceived Usefulness, Ease of Use, and Usage of Information Technology: A Replication," MIS Quarterly (16:2), 1992, pp. 227-247
2. Anderson, J. R. Cognitive Psychology and its Implications 6th Edition, New York, NY, Worth Publishers, 2005
3. Baddeley, A. D. "The Influence of Acoustic and Semantic Similarity on Long-Term Memory for Word Sequences," Quarterly Journal of Experimental Psychology (18:4), 1966, pp. 302-309
4. Brown, A. S., Bracken, E., Zoccoli, S., and Douglas, K. "Generating and Remembering Passwords," Applied Cognitive Psychology (18:6), 2004, pp. 641-651
5. Burnett, M. Perfect Passwords: Selection, Protection, and Authentication, ebrary.com, Syngress Publishing, 2005
6. Cameron, K. A., Haarmann, H. J., Grafman, J., and Ruchkin, D. S. "Long-Term Memory is the Representational Basis for Semantic Verbal Short-Term Memory," Psychophysiology (42:6), 2005, pp. 643-653
7. Center for Internet Security, Windows XP Professional Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Baseline Security Settings, Version 1.3, The Center for Internet Security, www.cisecurity.org, 2004
8. Cohen, J. D., McClelland, J. L., and Dunbar, K. "On the Automatic Control of Processes: A Parallel Distributed Processing Account of the Stroop Effect," Psychological Review (97:3), 1990, pp. 332-361
9. Conrad, R. "Acoustic Confusions in Immediate Memory," British Journal of Psychology (55), 1964, pp. 75-84
10. Cowan, N. "The Magical Number 4 in Short-Term Memory: A Reconsideration of Mental Storage Capacity," Behavioral and Brain Sciences (24:1), 2001, pp. 87-185
11. Crystal, D., Cambridge Encyclopedia of the English Language, Cambridge, MA, Cambridge University Press, 2003
12. Davis, F. "Perceived Usefulness, Perceived Ease of User, and User Acceptance of Technology," MIS Quarterly (13:3), 1989, pp. 319-339
13. DeSanctis, G. and Poole, M. S. "Capturing the Complexity in Advanced Technology Use: Adaptive Structuration Theory," Organization Science (5:2), 1994, pp. 121-147
14. Doumont, J. "Magical Numbers: The Seven-Plus-or-Minus-Two Myth," IEEE Transactions on Professional Communication (45:2), 2002, pp. 123-127
15. Driscoll, M. P. Psychology of Learning for Instruction 3rd Edition, Boston, MA, Pearson, 2005
16. Ericsson, K. A., Krampe, R. T., and Tesch-Romer, C. "The Role of Deliberate Practice in the Acquisition of Expert Performance," Psychological Review (100:3), 1993, pp. 363-406
17. Federal Information Processing Standards (FIPS) Publication 112, "Password Usage," 1985 (http://www.itl.nist.gov/fipspubs/fip112.htm) last accessed December 8, 2008
18. Gray, P. H. and Durcikova, A. "The role of knowledge repositories in technical support environments: Speed versus learning in user performance," Journal of Management Information Systems (22:3), 2005-6, 159-190
19. Hevner, A. R., March, S. T., Park, J., and Ram, S. "Design Science in Information Systems Research," MIS Quarterly (28:1), 2004, pp. 75-105
20. Huston, B. "Review of BioPassword Internet Edition," Information Security, 2006, pp. 65
21. Ives, B., Olson, M. H., and Baroudi, J. J. "The Measurement of User Information Satisfaction," Communications of the ACM (26:10), 1983, pp. 785-793
22. Ives, B., Walsh, K. R., and Schneider, H. "The Domino Effect of Password Reuse," Communications of the ACM (47:4), 2004, pp. 75-78
23. Jacoby, L. L. "On interpreting the effects of repetition: Solving a problem versus remembering a solution," Journal of Verbal Learning and Verbal Behavior (17:6), 1978, pp. 649-667
24. Johansson, J. "The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3," Microsoft TechNet, (October 1, 2004a), retrieved 27 March 2007, http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx
25. Johansson, J. "The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3," Microsoft TechNet, (November 1, 2004b) retrieved 27 March 2007, http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
26. Johansson, J. "The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3," Microsoft TechNet, (December 1, 2004c) retrieved 27 March 2007, http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
27. Johansson, J. M. and Riley, S. Protect Your Windows Network: From Perimeter to Data, Upper Saddle River, New Jersey, Addison-Wesley, 2005
28. John, B. E. "TYPIST: A Theory of Performance in Skilled Typing," Human-Computer Interaction (11:4), 1996, pp. 321-355
29. Johns, E. E., and Swanson, L. G. "The Generation Effect with Nonwords," Journal of Experimental Psychology: Learning, Memory, and Cognition (14:1), 1988, pp. 180-190
30. Keith, M., Shao, B., and Steinbart, P. "The Usability of Passphrases for Authentication: An Empirical Field Study," International Journal of Human-Computer Studies (65:1), 2007, pp. 17-28
31. Levenshtein, V. I. "Binary codes capable of correcting deletions, insertions, and reversals," Soviet Physics-Doklady (10), 1966, pp. 707-710
32. Lian, A., Karlsen, P. J., and Winsvold, B. "A Re-Evaluation of the Phonological Similarity Effect in Adults' Short-Term Memory of Words and Nonwords," Memory (9:4-6), 2001, pp. 281-299
33. Logan, F. A. "Errors in Copy Typewriting," Journal of Experimental Psychology: Human Perception and Performance (25:6), 1999, pp. 1760-1773
34. Mahmood, M. A., Burn, J. M., Gemoets, L. A., and Jaquez, C. "Variables Affecting Information Technology End-User Satisfaction: A Meta-Analysis of the Empirical Literature," International Journal of Human-Computer Studies (52:4), 2000, pp. 751-771
35. McKeen, J. D., Guimaraes, T., and Wetherbe, J. C. "The Relationship between User Participation and User Satisfaction: An Investigation of Four Contingency Factors," MIS Quarterly (18:4), 1994, pp. 427-451
36. Miller, G. A. "The Magical Number Seven, Plus or Minus Two: Some Limits on our Capacity for Processing Information," Psychological Review (63:2), 1956, pp. 81-97
37. Morris, R. and Thompson, K. "Password Security: A Case History," Communications of the ACM (22:11), 1979, pp. 594-597
38. Narayanan, A. and Shmatikov, V. "Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff," Proceedings of the 12th ACM Conference on Computer and Communications Security CCS '05, November 7-11, 2005, Alexandria, Virginia, pp. 364-372
39. Orlikowsky, W. J. "Using Technology and Constituting Structures: A Practice Lens for Studying Technology in Organizations," Organization Science (11:4), 2000, pp. 404-428
40. Pond, R., Podd, J., Bunnell, J., and Henderson, R. "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates," Computers & Security (19:7), 2000, pp. 645-656
41. Porter, S. N. "A Password Extension for Improved Human Factors," Computers & Security (1:1), 1982, pp. 54-56
42. Rieger, M. "Automatic Keypress Activation in Skilled Typing," Journal of Experimental Psychology: Human Perception and Performance (30:3), 2004, pp. 555-565
43. Ringle, C. M., Wende, S., and Will, A, SmartPLS, Hamburg, Germany: University of Hanburg, 2005.
44. Ruffo, G. and Bergadeno, R. "EnFilter: A Password Enforcement and Filter Tool Based on Pattern Recognition Techniques," Lecture Notes in Computer Science (3617), 2005, pp. 75-82
45. Rumelhart, D. E. and Norman, D. A. "Simulating a Skilled Typist: A Study of Skilled Cognitive-Motor Performance," Cognitive Science (6:1), 1982, pp. 1-36
46. Salthouse, T. A. "Perceptual, Cognitive, and Motoric Aspects of Transcription Typing," Psychological Bulletin (99:3), 1986, pp. 303-319
47. Simon, H. "How Big is a Chunk?" Science (183: 4124), 1974, pp. 482-488
48. Skoudis, E. and Liston, T. Counter Hack Reloaded, 2nd Edition, Upper Saddle River, New York, Prentice-Hall, 2006
49. Slamecka, N. J., and Graf, P. "The generation effect: Delineation of a phenomenon," Journal of Experimental Psychology: Human Learning and Memory (4:6), 1978, pp. 592-604
50. Taylor, S. and Todd, P. A., "Understanding Information Technology Usage: A Test of Competing Models," Information Systems Research (6:2), 1995, pp. 144-176
51. Todd, P. and Benbasat, I. "The Influence of Decision Aids on Choice Strategies: An Experimental Analysis of the Role of Cognitive Effort," Organizational Behavior and Human Decision Processes (60:1), 1994, pp. 36-74
52. Todd, P., and Benbasat, I. "Evaluating the Impact of DSS, Cognitive Effort, and Incentives on Strategy Selection," Information Systems Research (10:4), 1999, pp. 356-374
53. Todd, P., and Benbasat, I. "Inducing Compensatory Information Processing Through Decision Aids That Facilitate Effort Reduction: An Experimental Assessment," Journal of Behavioral Decision Making (13:1), 2000, pp. 91-106
54. Venkatesh, V. and Davis, F. D., "A Model of the Antecedents of Perceived Ease of Use: Development and Test," Decision Sciences (27:3), 1996, pp. 451-481
55. Venkatesh, V. and Davis, F. D., "A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies," Management Science (46:2), 2000, pp. 186-204.
56. Whitman, M. E. "Enemy at the Gate: Threats to Information Security," Communications of the ACM (46:8), 2003, pp. 91-95
57. Wiedenbeck, S., Waters, J., Birget, J., Brodskiy, A., and Memon, N. "PassPoints: Design and Longitudinal Evaluation of a Graphical Password System," International Journal of Human-Computer Studies (63:1-2), 2005, pp. 102-127
58. Wixom, B. H. and Todd, P. A. "A Theoretical Integration of User Satisfaction and Technology Acceptance," Information Systems Research (16:1), 2005, pp. 85-102
59. Wren, S. "Vocabulary," (http://www.balancedreading.com/vocabulary.html) last accessed on December 9, 2008
60. Yan, J., Blackwell, A., Anderson, R., and Grant, A. "Password Memorability and Security: Empirical Results," IEEE Security & Privacy (2:5), 2004, pp. 25-31
61. Zviran, M. and Haga, J. W. "Cognitive Passwords: The Key to Easy Access Control," Computers & Security (9:8), 1990, pp. 723-736
62. Zviran, M. and Haga, J. W. "A comparison of password techniques for multilevel authentication mechanisms," The Computer Journal (36:3), 1993, pp. 227-237
63. Zviran, M. and Haga, J. W. "Password Security: An Empirical Study," Journal of Management Information Systems (15:4), 1999, pp. 161-185