A Longitudinal Comparison of Four Password Procedures

Computer security has become a central concern in this age of technology. Vast and ever-increasing amounts of confidential and/or proprietary data are stored and transmitted electronically, making security issues a vital concern. The primary method of preventing unauthorized access to sensitive data has been to authenticate users through the use of passwords. We have completed a pilot study and begun a longitudinal study which investigate the tradeoff between the level of security and ease of recall (and ease of use) for various types of passwords and password entry procedures. Typically, there is an inverse relationship between the level of security and ease of recall. The longer the password and the more variability in the characters, the higher the level of security provided by such a password (because they are more difficult to violate or " crack "). However, such passwords tend to be more difficult for users to remember, particularly when the password does not spell a recognizable word. Conversely, when users select their own more easily-remembered passwords, the passwords may also be easier to crack. In a recent email from Bill Gates (Chairman of Microsoft Corporation) to approximately one million people, Gates referred to passwords COPS, page 2 as " the weak link " in computer security, noting that most passwords are either easy to guess or difficult to remember (CNN.COM/Technology, 2003). The proposed study presents a new approach to entering passwords, which combines a high level of security with easy recall for the user. The Check-Off Password System (COPS) is more secure than user-selected password systems, as well as high-protection, assigned-password systems. However, we hypothesize that users will prefer this system to traditional assigned-password systems despite the more cognitively involved input mechanism, because it is easier to recall the COPS " password. " We recently completed a pilot study to investigate the tradeoffs between using COPS and three traditional password procedures, which provides a preliminary assessment of the efficacy of COPS. The pilot study offers evidence that COPS is a valid alternative to current user authentication systems. However, the pilot study only explored the use of those password procedures in a single session. As an extension of the pilot study, we have started a semester-long study in which users will employ each of the four procedures for a period of three weeks. This longitudinal study will enable us to evaluate use patterns over time, which we expect to …