Character Strings, Memory and Passwords: What a Recall Study Can Tell Us*

摘要

Many users must authenticate to multiple systems and applications, often using different passwords, on a daily basis. At the same time, the recommendations of security experts are driving increases in the required character length and complexity of passwords. The thinking is that longer passwords will result in greater "entropy," or randomness, making them more difficult to guess. The greater complexity requires inclusion of upper- and lowercase letters, numerals, and special characters. How users interact and cope with passwords of different length and complexity is a topic of significant interest to both the computer science and cognitive science research communities. Using experimental methodology from the behavioral sciences, we set out to answer the following question: how memorable are complex character strings of different lengths that might be used as higher-entropy passwords? In this experiment, participants were asked to memorize a series of ten different character strings and type them repeatedly into a computer program. Character string lengths varied and the random characters were made up of alphanumeric and special characters in order to mimic passwords. Not surprisingly, our findings indicate that the longer a character string is, the longer it takes for a person to recall it, and the more likely they are to make an error when trying to re-type that string. These effects are particularly pronounced for strings of eight to ten characters or longer.