cognitive password

Research on passwords as an authentication method has struggled between memorability and strong security.Simon HA. Cognitive science: The newest science of the artificial. Cognitive science. 1980 Jan 1;4(1):33-46. Passwords that are easily remembered are easily cracked by attackers. On the other hand, strong passwords are difficult to crack but also difficult to remember.Zviran and Haga, 1990aJ. Yan, A. Blackwell, R. Anderson, and A. Grant.

Password Memorability and Security: Empirical

Results. [IEEE Security and Privacy, 2(5):25–31, 2004.

When passwords are difficult to remember, users may write them down, and the secrecy of the password is compromised.Zviran and Haga, 1999, p. 173 Early research into this trade-off between security and usability aimed to develop a password system that utilized easily remembered personal facts and encouraged user participation. This line of research resulted in the concept of the associative password, a password system based on user selected cues and responses.Smith, 1987 This concept of associative passwords was extended to a pre-specified set of questions and answers that users would be expected to know and could easily recall.Zviran and Haga, 1990a, p. 723 Empirical analysis of passwords and human cognition resulted in a recommendation that people should not be expected to remember more the four complex passwords.A. Adams and M. A. Sasse. Users are not the enemy.

Commun. ACM, 42(12):40–46, 1999.

Building upon the idea of questions later researchers developed a series of innovations for cognitive passwords. Pass faces used the ability to identify individuals in a social network and the particular cognitive strength of recognizing faces.Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud., 63(1-2):102–127, 2005. Later work evaluating these cues reified the recommendation of four passwords as a reasonable cognitive expectation.Brostoff, S., & Sasse, M. A. (2000). Are Passfaces more usable than passwords? A field trial investigation. In People and computers XIV—usability or else! (pp. 405-424). Springer, London.

A historical overview of the use of various cues found that the specific design and layout of the page impinge the memorability and strength.Biddle R, Chiasson S, Van Oorschot PC. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys. 2012 Aug 1;44(4):19. Later work illustrated that inclusion of a visual cue enabled strongly significant improvements in the trade-off between memorability and security.Camp, L. Jean, Jacob Abbott, and Siyu Chen. [https://www.ftc.gov/es/system/files/documents/public_comments/2016/10/00060-129179.pdf, "CPasswords: Leveraging Episodic Memory and Human-Centered Design for Better Authentication."] 2016 49th Hawaii International Conference on System Sciences (HICSS). IEEE, 2016.

The core of a cognitive password system lies the cues. These can be photos of faces, newspapers, images, or other graphical or textual cues. One early method of assisting recall recommended the now later security questions. These questions were designed to be more memorable than the standard username/password authentication method. As such, a measure of the strength of a cognitive password is the memorability/guessability ratio.Bunnell et al., 1997, p. 631

Questions developed for cognitive password systems are classified as being either fact or opinion based. Fact based systems have questions with answers that are considered independent of an individual's feelings such as "What is the name of the high school you attended?". Opinion based questions are the opposite and, as the name implies, have answers based on personal opinions such as, "What is your favorite color?"Zviran and Haga, 1990 Later research developed a set of criteria for question selection which included generalized answerability, number of potential answers, and generalized lack of ambiguity. The first criterion suggested that questions should be answerable by all (i.e. not asking "When did you purchase your first home?" because not all users may have purchased homes). The second criterion recommended selecting questions with a sufficiently large set of potential answers (i.e. not asking "How many children do you have?" because a majority of people would answer 0, 1 or 2). One design goal is to have questions that were as unambiguous as possible (i.e. not asking "How many family members do you have?" as there may be some confusion as to who would be included in that count).Bunnell et al., 1997, p. 633 For creating usable questions one effective criterion is the use of persuasive, engaging questions.Alain Forget, Sonia Chiasson, P. C. van Oorschot, and Robert Biddle. 2008. Improving text passwords through persuasion. In Proceedings of the 4th symposium on Usable privacy and security (SOUPS '08). ACM, New York, NY, USA, 1-12.

Older people dealing with the normal cognitive decline of aging may respond well to visual cues.Anderson, N. and Craik, F., “Memory in the aging brain”, The Oxford handbook of memory, pp. 411–425, 2000. Tactile interactions can make technology more accessible.Z. Zimmerman & L Jean Camp, "Elder-friendly Design's Effects on Acceptance of Novel Technologies", Elderly Interaction Design CHI; CHI 2010 Workshop, (Atlanta GA.) 4 April 2010.

A user's ability to correctly recall their password is expected to decrease as time progresses.(Brown et al., 2004, p. 642) However, the memorability of cognitive passwords remains relatively stable over time with recall rates significantly higher than traditional passwords.Bunnell et al., 1997, p. 635Zviran and Haga, 1990a, p.728 When fact and opinion-based questions are compared, the fact-based questions are more likely to be correctly remembered than opinion-based questions, but still far more likely than traditional passwords. On average, cognitive questions show relatively high guessability, much higher than traditional passwords. But when analyzed individually, certain cognitive questions have been shown to have acceptable memorability/guessability ratios.

The following are some typical cognitive password questions:

• What is your mother's maiden name?
• Who is your favorite superhero?
• What is your dog's name
• What is your car's name?
• What is your favorite movie?
• What city were you born in?
• What is your favorite color?

{{reflist}}

• {{Citation|last = Brown|first = Alan S.|last2 = al|first2 = et.|title = Generating and Remembering Passwords|journal = Applied Cognitive Psychology|volume = 18|issue = 6|pages = 641–651|year = 2004|doi=10.1002/acp.1014}}
• {{Citation|last = Bunnell|first = Julie|last2 = al|first2 = et.|title = Cognitive, associative and conventional passwords: Recall and guessing rates|journal = Computers & Security|volume = 16|issue = 7|pages = 629–641|year = 1997|doi=10.1016/s0167-4048(97)00008-4}}
• {{Citation|last = Smith|first = Sidney L.|title = Authenticating Users by Word Association|journal = Human Factors and Ergonomics Society|volume = 31|issue = 1|pages = 135–138|year = 1987|doi=10.1177/154193128703100130}}
• {{Citation|last = Zviran|first = Moshe|last2 = Haga|first2 = William J.|title = Cognitive passwords: The key to easy access control|journal = Computers & Security|volume = 9|issue = 8|pages = 723–736|year = 1990a|doi=10.1016/0167-4048(90)90115-a}}
• {{Citation|last = Zviran|first = Moshe|last2 = Haga|first2 = William J.|title = Password Security: An Empirical Study|journal = Journal of Management Information Systems|volume = 15|issue = 4|pages = 161–185|year = 1999|doi = 10.1080/07421222.1999.11518226|hdl = 10945/40319|hdl-access = free}}
• {{Citation|last = Zviran|first = Moshe|last2 = Elrich|first2 = Zippy|title = Identification and Authentication: Technology and Implementation Issues|journal = Communications of the Association for Information Systems|volume = 17|issue = 4|pages = 90–105|year = 2006|doi = 10.17705/1CAIS.01704|doi-access = free}}

• [http://www.steam.ualberta.ca/main/research_areas/vcpassword.htm Visual and Cognitive Password Authentication]

{{DEFAULTSORT:Cognitive Password}}

Category:Password authentication