Abstract
The quest for optimum computer authentication continues to stimulate resolution toward memorable password design. As human cognitive load processes the transfer of information from working memory to long-term memory, intrinsic and extraneous complexities present impedances to cognitive load. This study applies human cognition to the use of passphrases characterized as assembled words that are secure and easy to recall [23]. “Passwords and passphrases, when married with psychology and psycholinguistics, yield an authentication scheme that is revocable, memorable, and secure” [21, p. 2]. Subsequently, this study examines augmenting cognitive load of passphrase design to enhance memorability and effectuate authentication performance.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Present day authentication schemes are prone to security attacks and are difficult to use. In response to memorability struggles, users make slight modifications to their existing password when prompted to change their password. Consequently, security is not automatically enhanced by this requirement; therefore, a study proposes imposed passwords suggesting security and memorability are central to its design [9]. Although various findings consist of multi-factor verification and multi-modal biometric forms, cognitive demands remain for the user [1]. Additionally, passphrase or multi-word combination resolutions seek to improve human computer authentication in security and usability inquiry [5, 9]. Moreover, reducing cognitive load during authentication suggests to reduce input errors, improve performance and enhance the authentication experience [19].
Augmented cognition inquiries involve identifying support systems to current password and proposed passphrase structures. A study including assistance from mechanisms like a system shared secret [21] and a four-word system assigned passphrase suggests to increase memorability using reinforcement [10]. Similarly, passphrases using mnemonics implies improvement to security and recall [30]. Accommodating longer passphrase lengths combined with a validation system that authenticates common typing mistakes alludes to improve security and aids memory to ultimately minimize input error [17]. The selection and encoding of meaningful words as random entries suggests to initiate deep processing and increase passphrase length and security [31]. Likewise, personalizing passphrases selected from a random word set alludes to memorability [4]. Although existing studies contribute to relationships among password construction, recall and meaningfulness, research investigating cognitive psychology and password selection research are scarce [21].
As usability and access to computer systems remain problematic [4], further passphrase design inquiries, driven by cognitive theories, are expected to address memorability concerns [31]. Contributions that detail user-centric authentication design principles include adapting to user behavior and preferences to minimize interruptions and reduce cognitive load for successful authentication [19]. Inclusive to this study of advancing memorable passphrase investigation and addressing access to computer systems is the evaluation of personality traits and memory association influences on imposed and user created passphrases [14].
2 Theoretical Background
2.1 Cognitive Load
Cognitive load is the amount of mental effort expended by a learner interacting with instruction and is influenced by and interacts with novel learning instructions kept in short-term memory [24]. If instructions facilitate learning, cognitive load is germane otherwise cognitive load is extraneous [11]. A third type of load, intrinsic load, is distinguished as information difficulty [8]. The combination of germane, extraneous, and intrinsic cognitive loads suggests to establish learning within the constraints of working memory [2, 8, 11, 20, 24, 25]. Furthermore, it is implied that germane and extraneous load are influenced by the design of the learning model as opposed to the intrinsic nature of the information [20].
Multiple sensory channels are required to increase working memory capacity [8]. Information is processed through working memory prior to storage in long-term memory where it can be retrieved without temporary constraints. Impedances to cognitive load increase with disruptions that interfere with learning and ultimately with the transfer process to long-term memory. Complex word or instruction variability as well as difficulty associating meanings to words may necessitate significant exertion while cognitive workload could disturb the transport of learning to long-term memory [25]. Learning and recalling computer passphrases depend on the processing of information for sustained memorability.
Long-term memory enables recall and more importantly provides proficiency in high level processes such as problem solving [24]. In this study passphrase recall is used to measure cognitive load with the goal of discovering design outcomes to improve passphrase learning processes that transform to long-term memory. Unlike long-term storage of vast assembled information, working memory processes up to three interrelating components. These components rely on defined procedures to process interacting elements that expand its capacity [20]. Study results reported no significant difference in entropy between 3-word and 4-word passphrases noting that 3-word passphrases resulted in fewer errors [23]. Additionally, the number of characters in a passphrase rather than the words negatively affects usability while a sentence like structure that can be visualized positively affects usability. Considering the limitations of short-term memory, clear and concise passphrase instruction is an important design requirement.
2.2 Memory Implications
A study of visually presented words suggests participants tend to recall words from the beginning and end of the list consisting of four to six words [29]. User created passwords are discoverable and system generated passwords are difficult to remember resulting in preference for passphrases over long passwords comprised of characters. The study randomly selected short words from a large dictionary which provides greater security than characters in a password. Implications suggest passphrases are more memorable than a password composed of characters [9].
Although “it is not known what makes a password memorable” [7, p. 221], findings include password repetition and importance of the user’s account supports memorability [7]. Therefore, frequent logins into a computer encourages passphrase memorability. Another viewpoint considers the critical management of remembering multitudes of passwords competing with each other to evoke the associated personal or professional account [32]. Findings include creating passwords based on a defined structure associated with the account elicits unique passwords and improves recall. Furthermore, a working memory study showed that interference such as competing representations associated with a passphrase interferes with the encoding process and decays retention unless it is refreshed by rehearsal [18]. Avoiding processing load and information loss during passphrase design are valid considerations.
Achieving mental efficiency is a result of reducing cognitive load and extending working memory. Likewise, “cognitive load always needs to be related to performance” [15, p. 6]. Discovering collaborative insights between memory and effort of the login task will further our examination of passphrase development.
3 Initial Cognitive Pilot Study
A repeated measures pilot study was conducted to determine memorability with imposed and user created passphrases. The imposed passphrases contained a series of three random words that were visually displayed prior to recall. The participants were allowed to freely select three words of their choice for their created passphrase. In both scenarios, a distractor was applied to clear working memory throughout the recall task.
Additionally, the study tested for personality traits using Rotter’s [22] locus of control personality scale of internal and external measurement. “Applying psychological variables of locus of control to technology is expected to increase understanding of personality influences on the selection and construction of computer passwords and contribute to the design of memorable passwords” [14, p.8]. Internal control is a personality trait characterized as inhabiting self-reliant behavior whereas external control attributes circumstances upon encompassing surroundings [22]. Participants responded to a twenty nine question survey to determine their locus of control.
Moreover, the study consisted of timed memory dynamics tests using Ekstrom’s et al. [6] associations for cognitive aptitude to determine its effect on passphrase recall. Participants were presented with a list of objects and numbers as well as first and last names. After providing time for working memory to encode the information, they were evaluated on their ability to match objects with a number and first names with last names.
The participants were undergraduate university students considered to have prior knowledge of password construction as passwords were required to login to their university account. Information was provided using Qualtrics’ anonymized online survey platform conducted at a university classroom.
3.1 Cognitive Pilot Study Results
Although the majority of the participants were recognized as internally controlled (Fig. 1), results show these participants were found in both the passphrase imposed and passphrase created groups.
Locus of control internal external personality traits. Maximum score = 23
Memory associations categorized by object number and first name last name recall tests resulted in the majority of participants scoring high when asked to recall the imposed and created passphrases (Figs. 2 and 3).
Memory associative object number test. Maximum score = 15
Memory associative first name last name test. Maximum score = 15
Independent and dependent constructs
The summary of outcomes listed by participant are presented in Table 1. A participant with a lower locus of control score is considered to possess the internal personality trait whereas a participant with a higher locus of control score is considered to possess the external personality trait. Results for the imposed passphrase recall test were bimodal. Therefore, approximately half of the participant population successfully recalled the imposed passphrase. The majority of these participants possess internal locus of control and are sufficient at memory associations. Most subjects who failed to recall the imposed passphrase selected the first and third words. This finding suggests recollection of random material produces common results among participants [16]. Additionally, all participants successfully recalled their created passphrases. Approximately twenty five percent of these students were considered externally influenced by the locus of control personality trait.
Distractors were presented during the recall of the imposed and user created passphrase tests. This procedure allowed processing in working memory for repeated recall [4, 24]. Unlike results from the imposed passphrase recall task, findings from the participant created passphrase task revealed that distractors provided no interference on working memory as all participants successfully recalled their created passphrase. Therefore, the role of distractors did not control participant behavior and was considered irrelevant to cognitive load [13].
4 Cognitive Pilot Study Modifications
The goal of the pilot study is to gather and analyze preliminary data, test the treatment and prepare the methods and procedures for a successful main study. It is intended to guide the planning and optimization of a large-scale investigation [27]. Furthermore, a pilot study improves validity and reliability of survey instruments [28] and allows the modification of questions and procedures that did not produce expected answers. Reporting the pilot study results will contribute to researchers considering similar inquiries.
The cognitive pilot study identified undesirable data produced by the participant created passphrase instrument. Although a distractor was presented during the recall task, all subjects repeatedly remembered their created password throughout the task. The hundred percent participant recall of user created passphrases is attributed to the design construction of passphrases. Students were instructed to freely select three random words of their choice. The new instrument will be modified to prescribe rule sets governing the revised procedure. The addition of rule sets are expected to increase intrinsic cognitive load and provide variability for recall. Since additive working memory is anticipated to affect memorability, the predicted results are anticipated to create variance toward a normal statistic distribution resembling a bell curve.
Furthermore, the results from the participant imposed passphrase instrument yielded bimodal data. Therefore, fifty percent of the sample successfully recalled the three random word passphrase. Modifications to the new instrument will include multiple schemes corresponding to the participant created tasks to probe passphrase recall. The new rule sets governing the imposed passphrases are expected to provide improved results guiding statistical analysis.
“Physiological techniques are based on the assumption that changes in cognitive functioning are reflected by physiological variables” [25, p. 22]. Future research involving physiological responses to cognitive load is encouraged to determine inferences of working memory on recall [13]. Additionally, study findings validate physiological instruments for cognitive load measurement [26]. To strengthen our projected outcomes, this study will conduct multiple physiological quantification techniques to examine cognitive load during recall of imposed and created passphrases. Study enhancement will include the following physiological responses to cognition: electroencephalography (EEG) changes in neural activity, electrodermal (EDA) changes to skin conductance, electrocardiogram (EKG) variability in heart rate, and electromyography (EMG) activity produced by the corrugator muscle [3].
These physiological factors are expected to enrich cognitive load measurements [2, 25] and determine implications to the phenomenon of recall abilities for the design of memorable passphrases. Similar to Szulewski’s [26] results, this study’s outcomes and patterns are anticipated to uncover correlation between passphrase recall, personality factors, and memory associations utilizing multiple physiological instruments. Measurements relative to study variables are projected to be explainable within and across participant groups.
Since physiological research is essential to advance techniques and their potential to measure cognitive load [25], we will apply modifications to the study design dynamics and measure recall using valid and reliable physiology, personality and memory associative instruments for the main study. These enhancements will focus on examining changes in cognitive discovery, correlation among the instrument outcomes and understanding of passphrase development and construction of memorable authentication.
5 Method
This study will be based on the descriptive quantitative approaches [12] designed with repeated measures. Therefore, participants will be measured once with surveys, memory associative tests, and physiological measures. Using a sample population, cognitive discovery will be made between the independent variables and the outcome dependent variables.
The dependent variables are the recall measurements from the imposed passphrase and user created passphrase treatments. These outcomes are the actual recall variables for both passphrase tasks that will be used in the broad scope of authentication development. The study results are expected to contribute to the behavioral understanding of passphrase selection and memorability.
The independent variables measure extent of the locus of control personality test [22], memory associative test [6], and multiple physiology responses [3]. These constructs represent factors for identifying participant behavior. Measurements will be examined to discover performance magnitude of passphrase memorability.
Results are expected to establish associations and convergence between variables rather than causality. Therefore, results are presumed to produce a range of concepts explaining the study’s measurement of cognitive load on passphrase recall. The research study is designed using validated personality and cognitive instruments as well as physiological measurements and can be replicated given its validity.
References
Al Abdulwahid, A., Clarke, N., Furnell, S., Stengel, I., Reich, C.: The current use of authentication technologies: an investigative review. In: 2015 International Conference on Cloud Computing (ICCC), pp. 1–8. IEEE, April 2015
Antonenko, P.D., Niederhauser, D.S.: The influence of leads on cognitive load and learning in a hypertext environment. Comput. Hum. Behav. 26(2), 140–150 (2010)
Berntson, G. G., Cacioppo, J. T., Tassinary, L.G. (eds.): Handbook of Psychophysiology. Cambridge University Press (2017)
Blanchard, N.K., Malaingre, C., Selker, T.: Improving security and usability of passphrases with guided word choice. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 723–732. ACM, December 2018
Bonneau, J.: Guessing human-chosen secrets (No. UCAM-CL-TR-819). University of Cambridge, Computer Laboratory (2012)
Ekstrom, R.B., Dermen, D., Harman, H.H.: Manual for Kit of Factor-Referenced Cognitive Tests, vol. 102. Educational Testing Service, Princeton (1976)
Gao, X., Yang, Y., Liu, C., Mitropoulos, C., Lindqvist, J., Oulasvirta, A.: Forgetting of passwords: ecological theory and data. In: 27th {USENIX} Security Symposium ({USENIX} Security 18), pp. 221–238 (2018)
Hollender, N., Hofmann, C., Deneke, M., Schmitz, B.: Integrating cognitive load theory and concepts of human–computer interaction. Comput. Hum. Behav. 26(6), 1278–1288 (2010)
Jones, M.: Closing the Gap Between Memorable and Secure Passwords (2018)
Joudaki, Z., Thorpe, J., Martin, M.V.: Reinforcing system-assigned passphrases through implicit learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1533–1548. ACM, October 2018
Kirschner, P.A., Ayres, P., Chandler, P.: Contemporary cognitive load theory research: the good, the bad and the ugly. Comput. Hum. Behav. 27(1), 99–105 (2011)
Labaree, R.V.: Research Guides: Organizing Your Social Sciences Research Paper: Types of Research Designs (2009)
Lavie, N.: Attention, distraction, and cognitive control under load. Curr. Dir. Psychol. Sci. 19(3), 143–148 (2010)
Loos, L.A., Crosby, M.E.: Cognition and predictors of password selection and usability. In: Schmorrow, Dylan D., Fidopiastis, Cali M. (eds.) AC 2018. LNCS (LNAI), vol. 10916, pp. 117–132. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91467-1_10
Mavilidi, M.F., Zhong, L.: Exploring the development and research focus of cognitive load theory, as described by its founders: interviewing John Sweller, Fred Paas, and Jeroen van Merriënboer. Educ. Psychol. Rev. 1–10 (2019)
Naim, M., Katkov, M., Tsodyks, M.: Fundamental Law of Memory Recall. bioRxiv, 510750 (2019)
Nielsen, G., Vedel, M., Jensen, C.D.: Improving usability of passphrase authentication. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust, pp. 189–198. IEEE, July 2014
Norris, D., Hall, J., Butterfield, S., Page, M.P.: The effect of processing load on loss of information from short-term memory. Memory 27(2), 192–197 (2019)
Oviatt, S.: Human-centered design meets cognitive load theory: designing interfaces that help people think. In: Proceedings of the 14th ACM international conference on Multimedia, pp. 871–880. ACM, October 2006
Paas, F., Renkl, A., Sweller, J.: Cognitive load theory and instructional design: recent developments. Educ. Psychol. 38(1), 1–4 (2003)
Pilson, C.S.: Tightly-Held and Ephemeral Psychometrics: Password and Passphrase Authentication Utilizing User-Supplied Constructs of Self. arXiv preprint arXiv:1509.01662 (2015)
Rotter, J.B.: Generalized expectancies for internal versus external control of reinforcement. Psychol. Monogr. Gen. Appl. 80(1), 1 (1966)
Shay, R., et al.: Correct horse battery staple: exploring the usability of system-assigned passphrases. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 7. ACM, July 2012
Sweller, J.: Cognitive Load Theory. In: Psychology of Learning and Motivation, vol. 55, pp. 37–76. Academic Press (2011)
Sweller, J., van Merriënboer, J.J., Paas, F.: Cognitive architecture and instructional design: 20 years later. Educ. Psychol. Rev. 1–32 (2019)
Szulewski, A., Gegenfurtner, A., Howes, D.W., Sivilotti, M.L., van Merriënboer, J.J.: Measuring physician cognitive load: validity evidence for a physiologic and a psychometric tool. Adv. Health Sci. Educ. 22(4), 951–968 (2017)
Thabane, L., et al.: A tutorial on pilot studies: the what, why and how. BMC Med. Res. Methodol. 10(1), 1 (2010)
Van Teijlingen, E.R., Hundley, V.: The importance of pilot studies. Nurs. Stand. 16, 33–36 (2002)
Ward, G., Tan, L.: Control processes in short-term storage: retrieval strategies in immediate recall depend upon the number of words to be recalled. Mem. Cogn. 47, 1–25 (2019)
Woo, S.S., Mirkovic, J.: Memorablity and security of different passphrase generation methods. 정보보호학회지, 28(1), 29–35 (2018)
Zhang, X., Clark, J.: Matrix Passwords: A Proposed Methodology of Password Authentication (2012)
Zhang, J., Luo, X., Akkaladevi, S., Ziegelmayer, J.: Improving multiple-password recall: an empirical study. Eur. J. Inf. Syst. 18(2), 165–176 (2009)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Loos, L.A., Ogawa, MB., Crosby, M.E. (2019). Impedances of Memorable Passphrase Design on Augmented Cognition. In: Schmorrow, D., Fidopiastis, C. (eds) Augmented Cognition. HCII 2019. Lecture Notes in Computer Science(), vol 11580. Springer, Cham. https://doi.org/10.1007/978-3-030-22419-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-22419-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22418-9
Online ISBN: 978-3-030-22419-6
eBook Packages: Computer ScienceComputer Science (R0)