Living in the intersection of

cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...

and

psychology Psychology is the scientific study of mind and behavior. Psychology includes the study of conscious and unconscious phenomena, including feelings and thoughts. It is an academic discipline of immense scope, crossing the boundaries between ...

, password psychology is the study of what makes

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s or

cryptographic keys A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...

easy to remember or guess. In order for a

to work successfully and provide security to its user, it must be kept secret and un-guessable; this also requires the user to memorize their password. The psychology behind choosing a password is a unique balance between memorization,

security" \n\n\nsecurity.txt is a proposed standard for websites' security information that is meant to allow security researchers to easily report security vulnerabilities. The standard prescribes a text file called \"security.txt\" in the well known locat ...

and convenience. Password security involves many psychological and social issues including; whether or not to share a password, the feeling of security, and the eventual choice of whether or not to change a password. Passwords may also be reflective of personality. Those who are more uptight or security-oriented may choose longer or more complicated passwords. Those who are lax or who feel more secure in their everyday lives may never change their password. The most common password is Password1, which may point to convenience over security as the main concern for

internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

users.

History

The use and memorization of both nonsense and meaningful alphanumeric material has had a long history in psychology beginning with Hermann Ebbinghaus. Since then, numerous studies have established that not only are both meaningful and nonsense “words” easily forgotten, but that both their forgetting curves are exponential with time.OSTOJIC, P. P., & PHILLIPS, J. G. (2009). MEMORABILITY OF ALTERNATIVE PASSWORD SYSTEMS. International Journal of Pattern Recognition & Artificial Intelligence, 23(5), 987-1004 Chomsky advocates meaning as arising from semantic features, leading to the idea of “concept formation” in the 1930s.

Current research

Research is being done to find new ways of enhancing and creating new techniques for cognitive ability and memorization when it comes to password selection. A study from 2004 indicates that the typical college student creates about 4 different passwords for use with about 8 different items, such as computers, cell phones, and email accounts, and the typical password is used for about two items.Brown, Alan S.; al, et. (2004), "Generating and Remembering Passwords", Applied Cognitive Psychology 18 (6): 641–651 Information about the type of passwords points to an approximate even split between linguistic and numeric passwords with about a quarter using a mix of linguistic/numeric information. Names (proper, nicknames) are the most common information used for passwords, and dates are the second most common type of information used in passwords. Research is also being done regarding the effect of policies that force users to create more secure and effective passwords.Campbell J, Ma W, Kleeman D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology erial online May 2011;30(3):379-388. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, such a policy did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.

Memorization problems

Password psychology is directly linked to memorization and the use of

mnemonics A mnemonic ( ) device, or memory device, is any learning technique that aids information retention or retrieval (remembering) in the human memory for better understanding. Mnemonics make use of elaborative encoding, retrieval cues, and imager ...

. Mnemonics devices are often used as passwords but many choose to use simpler passwords. It has been shown that mnemonic devices and simple passwords are equally easy to remember and that the choice of convenience plays a key role in password creation.Yan, Jeff, Alan Blackwell, Ross Anderson, and Alasdair Grant. IEEE SECURITY & PRIVACY. THE IEEE COMPUTER SOCIETY, Sept. 2004. Web.

Password alternatives

In order to address the issues presented by memorization and security many businesses and internet sites have turned to accepting different types of

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicatin ...

. This authentication could be a single use password, non-text based,

Biometric Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify in ...

, a 2D key, multi-factor authentication, or Cognitive Passwords that are question based. Many of these options are more expensive, time consuming or still require some form of memorization. Thus, most businesses and individuals still use the common format of single word and text-based passwords as security protection. The most common alternative to tradition passwords and PIN codes has been biometric authentication. Biometric authentication is a method where systems use physical and/or behavioral traits unique to a specific individual to authorize access. Some of the most popular forms of biometric passwords are as follows: fingerprint, palm prints, iris, retina, voice, and facial structure. The appeal of biometrics as a form of passwords is that they increase security. Only one person has access to a set of fingerprints or retinal patterns which means the likelihood of hacking decreases significantly. Biometric authentication has 4 important factors, or modules, that keep systems and accounts from being compromised: sensor module, feature extraction module, template database, and matching module. These 4 sections of biometric authentication, while more involved, create a layer of protection that a tradition password option cannot. The sensor module is responsible for getting a hold of a user’s method of protection whether it be fingerprint scan, facial scan, or voice. The second module, feature extraction, is where all the raw data acquired from the previous module is broken down into the key components. The template, or database module, takes the key components gathered previously and saves them virtually. Lastly, the matching module is employed in order to verify if the inputted biometric method is legitimate. The modules that record, process, and verify biometrics, need to be run in 2 different stages, enrollment and recognition; within these 2 stages we see more sub-stages. In the enrollment stage we see the entirety of the four modules working at once as a digital version of the biometric data is generated and stored. The recognition stage has two sub-sections called verification and identification. During verification process the systems job is to ensure that the individual trying to gain access is who they are stating they are. The identification process fully identifies the individual. Though biometric authentication is a method that in seen increasingly more often, it isn’t without its issues. A biometric system is affected by similar issues that a tradition password system has. When a user inputs their biometric information one of four things can happen. A user may be truly be who they say they are and are granted access to the system. Conversely, a user may be impersonating someone and will be rejected access. The two other scenarios are when an authentic user is rejected access and an impersonator is granted access. This type of fraud can occur as there are certain individuals that may share virtually identical voices. In other instances, the initial attempt to record the biometric data may have been compromised. During the 4 modules, a user may have inputted corrupted data. An example of this is most commonly seen in fingerprints where an individual may use a wet finger or a scarred finger to record their data. These errors introduce the possibility of insecurity. These issues can occur for facial recognition. If a pair of twins or even two people who like similar try to access a system, they may be granted access.

References

{{DEFAULTSORT:Password Psychology Password authentication Cyberpsychology

History

Current research

Memorization problems

Password alternatives

See also

References