Abstract
Entering a username—password combination is a widely used procedure for identification and authentication in computer systems. However, it is a notoriously weak method, in that the passwords adopted by many users are easy to crack. In an attempt to improve security, proactive password checking may be used, in which passwords must meet several criteria to be more resistant to cracking. In two experiments, we examined the influence of proactive password restrictions on the time that it took to generate an acceptable password and to use it subsequently to log in. The required length was a minimum of five characters in Experiment 1 and eight characters in Experiment 2. In both experiments, one condition had only the length restriction, and the other had additional restrictions. The additional restrictions greatly increased the time it took to generate the password but had only a small effect on the time it took to use it subsequently to log in. For the five-character passwords, 75% were cracked when no other restrictions were imposed, and this was reduced to 33% with the additional restrictions. For the eight-character passwords, 17% were cracked with no other restrictions, and 12.5% with restrictions. The results indicate that increasing the minimum character length reduces crackability and increases security, regardless of whether additional restrictions are imposed.
Article PDF
Similar content being viewed by others
References
Baddeley, A. D. (1992). Working memory.Science,255, 556–559.
Bernstein, T., Bhimani, A. B., Schultz, E. E., &Siegel, C. A. (1996).Internet security for business. New York: Wiley.
Bishop, M., &Klein, D. V. (1995). Improving system security via proactive password checking.Computers & Security,14, 233–249.
Jain, A, Hong, L., &Pankanti, S. (2000). Biometric identification.Communications of the ACM,43, 91–98.
Miller, B. (1994, February). Vital signs of identity.IEEE Spectrum, pp. 22–30.
Miller, G. A. (1956). The magical number seven plus or minus two: Some limits on our capacity for processing information.Psychological Review,63, 81–97.
Neath, I. (1998).Human memory: An introduction to research, data, and theory. Pacific Grove, CA: Brooks/Cole.
Neath, I., &Crowder, R. G. (1990). Schedules of presentation and temporal distinctiveness in human memory.Journal of Experimental Psychology: Learning, Memory, & Cognition,16, 316–327.
Proctor, R. W., Lien, M.-C., Salvendy, G., & Schultz, E. E. (2000, April). A task analysis of usability in third-party authentication.Information Security Bulletin, pp. 49–56.
Schneider, W. (1995).MEL professional: User’s guide (Version 2.0) [Computer software]. Pittsburgh: Psychology Software Tools.
Schultz, E. E., Proctor, R.W., Lien, M.-C., &Salvendy, G. (2001). Usability and security: An appraisal of usability issues in information security methods.Computers & Security,20, 620–634.
Simon, H. A. (1974). How big is a chunk?Science,183, 482–488.
Slamecka, N. J., &Graf, P. (1978). The generation effect: Delineation of a phenomenon.Journal of Experimental Psychology: Human Learning & Memory,4, 592–604.
Stallings, W. (1995).Network and internet security. Englewood Cliffs, NJ: Prentice-Hall.
Author information
Authors and Affiliations
Corresponding author
Additional information
This research was supported by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
Rights and permissions
About this article
Cite this article
Proctor, R.W., Lien, MC., Vu, KP.L. et al. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 34, 163–169 (2002). https://doi.org/10.3758/BF03195438
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.3758/BF03195438