Strategy to Support the Memorization of Iconic Passwords

Introduction

According to many technological trend forecasts, in a near future, smartphones will be widely used for payments, replacing many of the current uses of cash or credit cards. This scenario highlights the need to equip smartphones with authentication solutions that are both reliable and usable.

In this context, as commented by Biddle et al. (2011), the use of passwords (PWs) for user authentication has several advantages, including the elimination of the privacy issues normally associated with biometric authentication, and also avoiding the need to carry a token, such as a chip card.

However, while alphanumeric passwords are supposed to provide a high theoretical security level, they tend to be predictable whenever they are chosen by users and, conversely, they tend to be difficult to memorize if they are generated by the system (Morris and Thompson, 1979; Klein, 1990; Mallows and Bentley, 2005; Sasse et al., 2001, Yan et al. 2004). Besides, the input modalities available in virtual keyboards of mobile devices hinder typing long alphanumeric PWs.

System-defined alphanumeric PWs are hard to memorize mainly when the resulting strings have no semantic or phonetic values, as those in conformance with the best security practices. This occurs because, in order to expand the theoretical space, the PWs are required to explore the entire keyboard, to be formed by a sequence of random characters (uppercase and lowercase letters, digits and special characters). This produces strings such as XP5sW8mN%&# or 9(yUt5$#c*m, which represent a challenge for the human memory, then forcing many users to resort to workarounds that can compromise the security of the application, such as writing down the password in a way that it makes it usable, but also vulnerable to capture.

On the other hand, if users are allowed to choose the PW, they will often adopt unsafe coping strategies, such as the use of real words or significant dates (vulnerable to dictionary and pattern-based attacks) or even the reuse of PWs across accounts to help with memorability, in which case “the decrease in security cannot be addressed by simply strengthening, in isolation, the underlying technical security of a system” (Biddle et al., 2011).

Finally, even when the user is asked to create an alphanumeric PW, while respecting the above-mentioned best practices, he or she still can circumvent these guidelines, for instance by creating a PW with no semantic value, but composed with adjacent keyboard keys, in order to memorize the movements for typing the string, instead of having to memorize the PW itself. By doing so, the user unconsciously creates a PW that is more vulnerable to shoulder-surfing attacks (as well as totally dependent on that particular keyboard standard).

Nevertheless, the main reason for those bad practices in the creation and handling of PWs is the legitimate attempt to overcome memorization difficulties, something totally justifiable from the usability perspective. But since authentication solution creators have no control over such workarounds, these can actually be considered unsafe behaviors that compromise the overall system security, making it susceptible to attacks.

The core of the problem lies then in the usability/security trade-off. While this trade-off needs to be carefully addressed and balanced, what occurs quite often is that, from a naïve security standpoint, most of the usability requirements are only regarded as likely to cause security breaches or to create loopholes for attacks, whereas from a non-informed usability perspective, the more usable a solution is, the better, regardless of the security implications of the evaluated alternatives. So, when it comes to proposing and developing an authentication mechanism for such a critical application as the use of smartphones as “digital money”, security and usability need to be considered on equal footing, otherwise they could undermine one another.