Improving Text Passwords Through Persuasion
July 24, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p1Forget.pdf
The research explored a novel password selection strategy in which subjects would enter a password and have random characters shuffled in to add security to the password. The researchers explored different methods of selecting and placing the characters.
The goal is not only to help users choose better passwords, but also to build off elements of Persuasive Technology to help them better understand what makes a password secure in hopes that the users will choose better passwords in general.
The research results found that those with shuffled passwords took longer to confirm their password initially, but did as well as the control when recalling them later. The study had included a mental exercise between sessions to clear the subject’s memory to better simulate having a greater period between attempts. They ran John the Ripper over the resulting passwords and were happy to find that not a single PTP-improved password was cracked!
Unfortunately, it was found that as users proceeded through the trial they tended to choose less secure initial passwords once they knew the PTP system would add more characters, perhaps limiting the total security gains realizable by PTP.