Understanding Password Preferences, Memorability, and Security through a Human-Centered Lens
For researchers and designers of authentication systems, this work highlights the role of visual attention in password security, offering a novel perspective beyond the traditional security-usability trade-off.
This study investigates the security-usability trade-off in passwords by comparing AI-generated and self-generated passwords. It finds that while AI-generated passwords are stronger, users prefer self-generated ones, and visual attention to contextual cues correlates with higher password entropy.
Passwords remain the primary authentication method, yet user-created passwords are often the weakest due to the security-usability trade-off. Although AI-based password generators are emerging, little is known about their effectiveness and user perceptions. This eye-tracking study examined how behavior during password creation, selection, and memorization relates to objective and subjective password quality. Four password models, three AI-based (DeepSeek-API, ChatGPT-API, PassGPT) and one rule-based random generator, generated suggestions from participants' self-generated passwords across four website contexts. Eye movements were recorded throughout the experiment. Results confirm the expected trade-off between AI-generated password strength and human memorability but also reveal a novel behavioral link. Despite stronger AI-generated passwords, participants favored self-generated ones. Notably, visual attention to contextual cues was significantly correlated with higher password entropy. This suggests that security is shaped not only by the generation tool but also by users' visual engagement with contextual cues, highlighting the potential of attention-driven security design.