A behavioral analysis of passphrase design and effectiveness

Mark Keith, Benjamin Shao, Paul Steinbart

Research output: Contribution to journalArticle

38 Citations (Scopus)

Abstract

Although the use of multiple methods of user authentication for IT system increases security, passwords are often the only credential required for access. Consequently, the challenge is to discover ways to improve password strength without impairing usability. Longer pass "phrases" have received increased attention as a solution to this challenge because they are potentially more resistant to attacks yet are easy to remember. Recent evidence, however, suggests that passphrases increase the likelihood of typographical errors resulting in login failures and negative user perceptions. This paper presents experimental results that demonstrate well-designed passphrases do not increase login failures and, thereby, generate positive user perceptions. Implications are drawn to help IT managers develop effective IT security policies in utilizing passphrases to improve authentication and to assist researchers in identifying avenues for future research.

Original languageEnglish (US)
Pages (from-to)63-90
Number of pages28
JournalJournal of the Association of Information Systems
Volume10
Issue number2
StatePublished - 2009

Fingerprint

Authentication
Security systems
Managers

Keywords

  • Authentication
  • Memory
  • Passphrases
  • Passwords
  • Security
  • Usability
  • User behavior

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems

Cite this

A behavioral analysis of passphrase design and effectiveness. / Keith, Mark; Shao, Benjamin; Steinbart, Paul.

In: Journal of the Association of Information Systems, Vol. 10, No. 2, 2009, p. 63-90.

Research output: Contribution to journalArticle

@article{08b0deb919034d3c8304dbe9638c0fd8,
title = "A behavioral analysis of passphrase design and effectiveness",
abstract = "Although the use of multiple methods of user authentication for IT system increases security, passwords are often the only credential required for access. Consequently, the challenge is to discover ways to improve password strength without impairing usability. Longer pass {"}phrases{"} have received increased attention as a solution to this challenge because they are potentially more resistant to attacks yet are easy to remember. Recent evidence, however, suggests that passphrases increase the likelihood of typographical errors resulting in login failures and negative user perceptions. This paper presents experimental results that demonstrate well-designed passphrases do not increase login failures and, thereby, generate positive user perceptions. Implications are drawn to help IT managers develop effective IT security policies in utilizing passphrases to improve authentication and to assist researchers in identifying avenues for future research.",
keywords = "Authentication, Memory, Passphrases, Passwords, Security, Usability, User behavior",
author = "Mark Keith and Benjamin Shao and Paul Steinbart",
year = "2009",
language = "English (US)",
volume = "10",
pages = "63--90",
journal = "Journal of the Association of Information Systems",
issn = "1536-9323",
publisher = "Association for Information Systems",
number = "2",

}

TY - JOUR

T1 - A behavioral analysis of passphrase design and effectiveness

AU - Keith, Mark

AU - Shao, Benjamin

AU - Steinbart, Paul

PY - 2009

Y1 - 2009

N2 - Although the use of multiple methods of user authentication for IT system increases security, passwords are often the only credential required for access. Consequently, the challenge is to discover ways to improve password strength without impairing usability. Longer pass "phrases" have received increased attention as a solution to this challenge because they are potentially more resistant to attacks yet are easy to remember. Recent evidence, however, suggests that passphrases increase the likelihood of typographical errors resulting in login failures and negative user perceptions. This paper presents experimental results that demonstrate well-designed passphrases do not increase login failures and, thereby, generate positive user perceptions. Implications are drawn to help IT managers develop effective IT security policies in utilizing passphrases to improve authentication and to assist researchers in identifying avenues for future research.

AB - Although the use of multiple methods of user authentication for IT system increases security, passwords are often the only credential required for access. Consequently, the challenge is to discover ways to improve password strength without impairing usability. Longer pass "phrases" have received increased attention as a solution to this challenge because they are potentially more resistant to attacks yet are easy to remember. Recent evidence, however, suggests that passphrases increase the likelihood of typographical errors resulting in login failures and negative user perceptions. This paper presents experimental results that demonstrate well-designed passphrases do not increase login failures and, thereby, generate positive user perceptions. Implications are drawn to help IT managers develop effective IT security policies in utilizing passphrases to improve authentication and to assist researchers in identifying avenues for future research.

KW - Authentication

KW - Memory

KW - Passphrases

KW - Passwords

KW - Security

KW - Usability

KW - User behavior

UR - http://www.scopus.com/inward/record.url?scp=70749087044&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70749087044&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:70749087044

VL - 10

SP - 63

EP - 90

JO - Journal of the Association of Information Systems

JF - Journal of the Association of Information Systems

SN - 1536-9323

IS - 2

ER -