Jun Ho Huh ; Seongyeol Oh ; Hyoungshick Kim ; Konstantin Beznosov

14 October 2015

Abstract: System-generated random passwords have maximum pass- word security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system- initiated password scheme called “Surpass” that lets users re- place few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked pass- words. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

Keyword(s): Passwords ; Usability ; Authentication ; Usable Security

Published in: Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim and Konstantin Beznosov. Surpass: System-initiated User-replaceable Passwords. In Proceedings of ACM Conference on Computer and Communications Security (CCS'15), October 2015.: