Password authentication is a widely used method of authentication. Most often, users choose passwords that are easy to remember, but that are also weak. Many service providers instruct users to create strong passwords with requirements such as password must have a minimum number of characters, must include uppercase letters or digits, or it must include a special character. Those passwords created under requirements from service providers can be hard for the user to remember leading him/her to write it down.
The mnemonic password strategy help users create strong and usable passwords. The most popular mnemonic password strategy, Mnemonic sentences, is based on a memorable random sentence to which we abbreviate the words of the sentence, and concatenate words’ initials to form a password.
In this study, Bei Ye and his colleagues conducted an online survey to evaluate four kinds of mnemonic password creation tips and compared them with two control groups. They assessed the security of passwords under two attacks: one where the attacker knows the password tips used by users (known attack), one where the attacker does not know the password tips used by users (unknown attack).
The researchers recruited 209 participants who have to choose a tip that they thought is easy to remember from the four mnemonic password creation tips.
These four mnemonic tips create passwords were:
- SenSub refers to Sentence substitution. User chooses a random sentence and replace each word of the sentence with a letter, a digit, a special character, or a word and combines them to form a password.
- KbCg refers to Keyboard change. User selects a basic password that can be easily memorized then the user moves one or more keys on the keyboard as a password to the top left, top right, bottom left, and bottom right. For example, if the basic word is “material,” and we choose to move a key to the top left, the password will be “jq5348qo”.
- UsForm refers to Using a formula. User selects an easy-to-remember mathematical formula and then selects several numbers to calculate the password. For example if we choose 1+2+3=6, the password can be “one+two+3=6” or 1+two+three=six”
- SpIns refers to Special character insertion. User selects a basic password and inserts special characters at any position of the basic password to form his/her password.
The authors divided the 209 passwords into four groups according to different password creation tips. The control groups are composed of a selection of 1000 random passwords leaked from some online game websites and forums.
The researchers then compared the password strength created by the four test groups with the password strength selected by in two control groups.
The results showed that:
- SenSub: Users tend to choose a famous sentence and only keep the first letter of each word from the original sentence. The authors recommend using a personalized sentence and varying the way each word are replaced (choose the second letter of the second word, the third letter of the third word, etc.)
- KbCg: Users tend to choose a common word as a basic password. The authors found that the strength of the passwords is close to the strength of the basic password selected. Thus, if you choose a basic word as a base, your password with this tip will be easily hacked. To avoid this situation, users should avoid using a basic word and select the least common keyboard pattern. However, this will make it harder to remember the password making this tip is not the most useable.
- UsForm: Users tend to keep the numbers of the formula (not replacing it by letters). Passwords created through this tip were not resistant to guessing attacks.
- SpIns: Users tend to add the special character at the beginning, between two words or at the end of the password. The strength of the password created through this tip is weak.
Out of the four mnemonic creation tips proposed in this study, the authors highly recommend the Sensub, as passwords created through this tip were harder to hack.