The Impact Of Different Cues on the Memorability Of System-assigned Recognition-based Textual Passwords
To ensure memorability, users employ predictable patterns when creating new passwords. These patterns make passwords easy to guess, which not only increases risks to users but also for the entire system. In contrast, system-assigned textual passwords offer security but suffer from poor memorability. Previous research investigated the idea of textual recognition, in which the user would be assigned a word from a list and asked to recall the word later. The recall rate for this scheme was shown to be no better than memorizing a sequence of randomly assigned letters, but the researchers suggested that memorability may be improved if the words always appear in the same position in the list. This proposal to leverage spatial cues inspired us to explore the use of cues, including spatial but also verbal and graphical cues, to improve memorability in textual recognition. In particular, we design three schemes with different cues to see the impact of each cue. TextS is a textual recognition scheme with spatial cues, such that the words appear in the same position each time. TextSV is similar to TextS, but it also offers verbal cues, i.e., phrase/facts related to keywords for textual recognition. Finally, TextSVG is similar to TextSV, but it includes graphical cues, images representing each keyword to go along with verbal and spatial cues. In our multi-session lab study, all 52 participants were assigned three different passwords types (TextS, TextSV and TextSVG), one for each study condition. One week after registration, the login success rate for TextS was 62%, while the login success rate for the TextSV and TextSVG schemes were 94% and 96% respectively. The login success rate for TextSV was significantly higher than TextS, while there was no significant difference between the TextSV and TextSVG schemes. These results give us insight about the impact of the different types of cues and also provide a potential future direction to attain adequate memorability for system-assigned passwords.