A study of password recall, perceived memorability, and strength using BCIs

Abstract

Passwords are considered the most common method of authentication and studies are frequently conducted to understand users' password habits. In this thesis, we run two empirical studies that provide information to further our understanding of the trade-o_ between security and usability in passwords, using off-the-shelf brain-computer interfaces (BCIs). Initially, we conducted an experiment with 19 participants, where password recall was studied. We followed this with a second experiment with 77 participants, where perceived password memorability and recall were studied. In both experiments, the effect of password strength on user's behaviour was investigated. Password memorability and strength were studied by collecting electroencephalogram (EEG) potentials upon presentation of different passwords to participants. After the presentation of passwords, participants were asked to perform either password recall or password memorability ranking based on the experiment. Features from the EEG signals were extracted in three domains: power spectrum from the frequency domain, statistics from the time domain, and wavelet coefficients from the time-frequency domain. Feature selection methods were used, and the selected parameters and feature subsets were submitted for classification based on the different tasks performed by participants. Password recall, being the most established metric of password memorability, was investigated thoroughly in both experiments. An average accuracy of 85% was obtained when predicting password recall from short-term memory. Prediction of password recall from long-term memory was performed over 8-10 days period. On the first day, an accuracy of 81% was achieved, whereas a near-to-random guess results were found on the second and eighth days. Prediction of users' judgment of password memorability was performed with an 82% accuracy. Password strength effect on password recall and perceived memorability was investigated, and a strong influence was found with an effect size of 6:8 on password recall from short-term memory, and 3:8 on memorability perception. The results present empirical data that may help explain the common practice of users selecting weak and memorable passwords, also suggesting users are able to sense password strength and make usability decisions based on that.