The Effectiveness and Usability of Passphrases for Authentication

In developing password policies, IT managers must strike a balance between security and memorability. Rules that improve structural integrity against attacks (e.g., increasing length and multiple character types) may also result in passwords that are difficult to remember. Recent technologies have relaxed the 8-character password constraint – permitting the creation of longer pass-“phrases” consisting of multiple words. Psychology theories suggest users can remember passphrases at least as well as passwords. This paper reports an experiment currently in progress that tests the usability of passphrases. Subjects are randomly assigned to three different password creation techniques: a control group with no constraints, a secure group given strong password requirements, and a passphrase group. It is expected that the passphrases group will have fewer failed login attempts than the secure group and no more failed login attempts than the control group. Practical implications include stronger authentication with reduced help desk costs.