Reference: Luna, K. (2019). If it is easy to remember, then it is not secure: Metacognitive beliefs affect password selection. Applied Cognitive Psychology.

With online security breaches frequently in the news, you may have wondered whether your passwords are keeping you safe from hackers online.  These breaches have revealed that people do not always seem to use secure passwords, with obviously insecure passwords such as “12345678” or “password” being commonly used for online services (1).  One possible explanation for why people use passwords like these is that they are easy to remember.  In the current study, researcher Karlos Luna aimed to explore people’s beliefs about the relationship between password security and memorability.

Method

Across two experiments, Luna had Portuguese university students complete a questionnaire assessing their beliefs about the strength of various types of passwords.  The participants then completed ratings for a set of 45-60 hypothetical passwords of varying levels of security.  Actual security of the passwords was assessed via a password strength meter by a cyber security company, which estimates how long it would take for a computer to decrypt the password.  Hypothetical passwords (listed in order of actual strength) could be: high-frequency words, low-frequency words, fake words (i.e., pseudowords), strings of letters, numbers, and special characters, or phrases.  Participants rated each password on its memorability (specifically, the likelihood they would remember it the next day on a 0-100 scale), security (on a 1-6 scale), and whether or not they would use the password in a critical or noncritical online service, such as to secure an online bank account or to access a news website.

	Password type	Example
Least secure	High-frequency word	“proposal”
	Low-frequency word	“abstinence”
	Fake word (pseudoword)	“cigbet”
	String of lowercase letters	“xrvdsuhp”
	String of lowercase & uppercase letters and numbers	“U4pJI9mb”
	String of lowercase & uppercase letters, numbers, and special characters	“D;1Si]7!”
Most secure	Phrases	“no longer a freshman”

Results

Generally, participants’ beliefs (as assessed by the questionnaire) and security ratings were aligned with best practices for password creation.  Specifically, ratings of perceived security increased with actual security in that participants tended to think that strings of letters, numbers, and special characters were more secure than words (both fake and real).  Memorability ratings followed the opposite pattern, with words being rated as more memorable than strings of letters, numbers, and special characters.  Additionally, intention to use a password was associated with security ratings – participants tended to want to use passwords they rated as highly secure, at least for critical internet services.

However, Luna observed an interesting dissociation between ratings of security and memorability when it came to password phrases.  Whereas participants rated phrases as highly memorable, they perceived them as insecure passwords.  Even though in reality, phrases make more secure passwords than single words, participants rated them just as insecure as low-frequency words.

Implications for password selection

Why did participants rate phrases as weak passwords? Luna proposes that people tend to hold the belief, “If a password is easy to remember, then it must be weak.” Although this belief applies to some types of passwords (e.g., strings of random characters are more secure and harder to remember than common words), it can lead people astray when it comes to phrases. Phrases include many characters and are ultimately very difficult for a computer to decrypt, which makes them very secure despite being easy to remember.  Thus, using phrases or sentences as passwords can combine security and memorability.

Two caveats to this suggestion are worth noting.  First, famous quotes or popular culture references can be easily stored in a database and decrypted by a computer.  Therefore, you should try to avoid common phrases or anything predictable (e.g., “Get busy living or get busy dying”).  Second, you have probably come across certain sites that require passwords to be of a certain length and to include particular types of character.  In these cases, one compromise for having to generate a random password while also maintaining high memorability is to use an acronym-based password.  For example, a phrase such as “It’s noon and I’m hungry!” could become “It’s12&I’mh!”.

Creating and managing strong passwords is beyond the scope of the research summarized above, which focuses on people’s beliefs about password memorability and security.  For tips on staying secure online, visit: https://www.us-cert.gov/ncas/tips/ST04-002

 —

Additional Reference:

(1) Shen, C., Yu, T., Xu, H., Yang, G., & Guan, X. (2016). User practice in password security: An empirical study of real-life passwords in the wild. Computers & Security, 61, 130-141.