No Rules: Can Removing Password Creation Rules Improve Password Memorability and Security?

Abstract

Many users have significant issues in remembering all their passwords. There are several authentication technologies available on the market to help with these issues, for instance, password managers. However, many users still choose to rely solely on their memory. Creating and recalling multiple strong passwords often leads many users to adopt insecure password practices, such as, creating weak passwords and writing passwords down. Insecure behaviours result in substantial security breaches and financial losses. Therefore, password creation requirements imposing complexity (e.g., X number of higher and lower case letters, numbers and special characters), and length (e.g., X number of characters) are implemented to ensure that users create passwords with a standard or minimum level of strength. Previous research has examined password memory and security issues, suggesting various ways to improve memorability. Furthermore, previous research has also examined users’ perceptions and interactions when attempting to meet password creation requirements, and the impact they have on users’ password management. Previous results suggest that users struggle to meet password creation rules and often circumvent security by, for instance, reusing the same password or modifying passwords for multiple accounts, which is a significant security issue unto itself. In this study, we will examine whether removing the complexity password creation rules will have beneficial effects on memorability and security. Using a mixed-method study, we will examine password creation and recall, using an online laboratory study, observing the strength of the passwords, and whether focusing solely on creating and not meeting rules will improve password memorability. Follow-up questionnaires will measure user perceptions and attitudes, and interviews will be conducted to deeper examine motivations for digital security while not imposing rules. The results will have important implications for research and practice, and especially for professionals who make recommendations and guidance for password management. This is because, improving password memorability and security could reduce insecure password behaviours and reduce financial losses associated with passwords.