The Effectiveness and Usabilityof Passphrases for Authentication

摘要

In developing password policies, IT managers must strike a balance between security and memorability. Rules that improvestructural integrity against attacks (e.g., increasing length and multiple character types) may also result in passwords that aredifficult to remember. Recent technologies have relaxed the 8-character password constraint – permitting the creation oflonger pass-“phrases” consisting of multiple words. Psychology theories suggest users can remember passphrases at least aswell as passwords. This paper reports an experiment currently in progress that tests the usability of passphrases. Subjects arerandomly assigned to three different password creation techniques: a control group with no constraints, a secure group givenstrong password requirements, and a passphrase group. It is expected that the passphrases group will have fewer failed loginattempts than the secure group and no more failed login attempts than the control group. Practical implications includestronger authentication with reduced help desk costs.