Evaluating the Usability of System-Generated and User-Generated Passwords of Approximately Minimum Equal Security

System-generated or user-generated text-based passwords are commonly used by the users to authenticate access to their electronic assets. These passwords may vary in usability and memorability depending on the type of password generation, composition and length. However, little past research has compared usability and memorability of passwords, satisfying minimum entropy for a secure password. This study compared three password policy conditions, assigning/generating passwords of approximately equal minimum security, i.e. 6-character alphanumeric system-generated passwords, minimum 8-character restricted user-generated passwords and minimum 16-character unrestricted user-generated passwords. The study involved 54 participants, equally divided into three groups, 18 in each password policy condition. The study took place over two sessions, with a period of 5-7 days in between them. In the first session, depending on the password policy condition, the participants were either assigned or asked to create a password. The participants were then asked to recall their passwords in the same session and after 5-7 days in the second session. The three password policy conditions were compared with respect to the dependent variables-the time taken to create the password account, the password creation error rates, the time taken to recall and recall error rates for both sessions, the number of unrecoverable passwords in the second session, the proximity of the recalled password to the stored password measured by Damerau-Levenshtein and Jaro-Winkler edit distances, and the subjective ratings for the NASA task load indices and the System Usability Scale questionnaire. iii There was significant difference between the password policy condition for the time taken to create a password account, password creation error rates, time taken to recall the passwords and temporal demand index of the NASA-TLX questionnaire. Across the task sessions, there were statistically significant differences for time taken to recall system-generated passwords, recall error rates, performance index of the NASA-TLX questionnaire and the SUS score. There was no significant difference for recall error rates and unrecoverable passwords among password policy conditions. The results of this study suggest that the overall performance of the 8-character password was weaker compared to system-generated and 16-character passwords. The qualitative analysis of the comments made by the participants and the additional analysis of the user-generated passwords suggests that the participants showed bias towards the commonly used 8-character password policy condition. However, this bias did not translate into better memorability of the 8-character password. The performance and the positive trends exhibited by 16-character passwords indicate a potential area …