Password psychology

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

In order for a password to work successfully and provide security to its user, it must be kept secret and un-guessable; this also requires the user to memorize their password. The psychology behind choosing a password is a unique balance between memorization, security and convenience. Password security involves many psychological and social issues including; whether or not to share a password, the feeling of security, and the eventual choice of whether or not to change a password. Passwords may also be reflective of personality. Those who are more uptight or security-oriented may choose longer or more complicated passwords. Those who are lax or who feel more secure in their everyday lives may never change their password. The most common password is Password1, which may point to convenience over security as the main concern for internet users.

History
The use and memorization of both nonsense and meaningful alphanumeric material has had a long history in psychology beginning with Hermann Ebbinghaus. Since then, numerous studies have established that not only are both meaningful and nonsense "words" easily forgotten, but that both their forgetting curves are exponential with time. Chomsky advocates meaning as arising from semantic features, leading to the idea of "concept formation" in the 1930s.

Current research
Research is being done to find new ways of enhancing and creating new techniques for cognitive ability and memorization when it comes to password selection. A study from 2004 indicates that the typical college student creates about 4 different passwords for use with about 8 different items, such as computers, cell phones, and email accounts, and the typical password is used for about two items. Information about the type of passwords points to an approximate even split between linguistic and numeric passwords with about a quarter using a mix of linguistic/numeric information. Names (proper, nicknames) are the most common information used for passwords, and dates are the second most common type of information used in passwords. Research is also being done regarding the effect of policies that force users to create more secure and effective passwords. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, such a policy did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.

Memorization problems
Password psychology is directly linked to memorization and the use of mnemonics. Mnemonic devices are often used as passwords but many choose to use simpler passwords. It has been shown that mnemonic devices and simple passwords are equally easy to remember and that the choice of convenience plays a key role in password creation.

Password alternatives
In order to address the issues presented by memorization and security many businesses and internet sites have turned to accepting different types of authentication. This authentication could be a single use password, non-text based, Biometric, a 2D key, multi-factor authentication, or Cognitive Passwords that are question based. Many of these options are more expensive, time consuming or still require some form of memorization. Thus, most businesses and individuals still use the common format of single word and text-based passwords as security protection.

The most common alternative to tradition passwords and PIN codes has been biometric authentication. Biometric authentication is a method where systems use physical and/or behavioral traits unique to a specific individual to authorize access. Some of the most popular forms of biometric passwords are as follows: fingerprint, palm prints, iris, retina, voice, and facial structure. The appeal of biometrics as a form of passwords is that they increase security. Only one person has access to a set of fingerprints or retinal patterns which means the likelihood of hacking decreases significantly. Biometric authentication has 4 important factors, or modules, that keep systems and accounts from being compromised: sensor module, feature extraction module, template database, and matching module. These 4 sections of biometric authentication, while more involved, create a layer of protection that a tradition password option cannot. The sensor module is responsible for getting a hold of a user’s method of protection whether it be fingerprint scan, facial scan, or voice. The second module, feature extraction, is where all the raw data acquired from the previous module is broken down into the key components. The template, or database module, takes the key components gathered previously and saves them virtually. Lastly, the matching module is employed in order to verify if the inputted biometric method is legitimate. The modules that record, process, and verify biometrics, need to be run in 2 different stages, enrollment and recognition; within these 2 stages we see more sub-stages. In the enrollment stage we see the entirety of the four modules working at once as a digital version of the biometric data is generated and stored. The recognition stage has two sub-sections called verification and identification. During verification process the systems job is to ensure that the individual trying to gain access is who they are stating they are. The identification process fully identifies the individual.

Though biometric authentication is a method that in seen increasingly more often, it isn’t without its issues. A biometric system is affected by similar issues that a tradition password system has. When a user inputs their biometric information one of four things can happen. A user may be truly be who they say they are and are granted access to the system. Conversely, a user may be impersonating someone and will be rejected access. The two other scenarios are when an authentic user is rejected access and an impersonator is granted access. This type of fraud can occur as there are certain individuals that may share virtually identical voices. In other instances, the initial attempt to record the biometric data may have been compromised. During the 4 modules, a user may have inputted corrupted data. An example of this is most commonly seen in fingerprints where an individual may use a wet finger or a scarred finger to record their data. These errors introduce the possibility of insecurity. These issues can occur for facial recognition. If a pair of twins or even two people who like similar try to access a system, they may be granted access.