Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password Composition

Visual attention, search, processing and comprehension are important cognitive tasks during a graphical password com-position activity. Aiming to shed light on whether individual differences on visual behavior affect the strength of the created passwords, we conducted an eye-tracking study (N=36) and adopted an accredited cognitive style theory to interpret the results. The analysis revealed that users with different cognitive styles followed different patterns of visual behavior which affected the strength of the created passwords. Motivated, by the results of the first study, we introduced adaptive characteristics to the user authentication mechanism, aiming to assist specific cognitive style user groups to create more secure passwords, and conducted a second study with a new sample (N=40) to test the adaptive characteristics. Results strengthen our assumptions that adaptive mechanisms based on users’ differences in cognitive and visual behavior uncover a new perspective for improving the password’s strength within graphical user authentication realms

Can Long Passwords Be Secure and Usable?

To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has suggested, however, that policies requiring longer passwords with fewer additional requirements can be more usable and in some cases more secure than this traditional policy. To explore long passwords in more detail, we conducted an online experiment with 8,143 participants. Using a cracking algorithm modified for longer passwords, we evaluate eight policies across a variety of metrics for strength and usability. Among the longer policies, we discover new evidence for a security/usability tradeoff, with none being strictly better than another on both dimensions. However, several policies are both more usable and more secure that the traditional policy we tested. Our analyses additionally reveal common patterns and strings found in cracked passwords. We discuss how system administrators can use these results to improve password-composition policies