Towards Making Random Passwords Memorable: Leveraging Users' Cognitive Ability Through Multiple Cues
This addresses the problem of poor memorability for system-assigned passwords, potentially improving security for users in applications like financial accounts, though it is incremental as it builds on existing cued-recognition approaches.
The paper tackles the usability-security tension in passwords by proposing CuedR, a cued-recognition scheme that helps users memorize system-assigned random passwords using multiple cues, resulting in 100% login success within three attempts after one week and a mean login time of 38.0 seconds.
Given the choice, users produce passwords reflecting common strategies and patterns that ease recall but offer uncertain and often weak security. System-assigned passwords provide measurable security but suffer from poor memorability. To address this usability-security tension, we argue that systems should assign random passwords but also help with memorization and recall. We investigate the feasibility of this approach with CuedR, a novel cued-recognition authentication scheme that provides users with multiple cues (visual, verbal, and spatial) and lets them choose the cues that best fit their learning process for later recognition of system-assigned keywords. In our lab study, all 37 of our participants could log in within three attempts one week after registration (mean login time: 38.0 seconds). A pilot study on using multiple CuedR passwords also showed 100% recall within three attempts. Based on our results, we suggest appropriate applications for CuedR, such as financial and e-commerce accounts.