Empirical analysis on the usability and security of passwords

Security and usability have been on the opposite ends of the spectrum; sometimes, to achieve one, the other must be compromised to some extent. Passwords are a typical example in which usability, psychology, and security meet. Absurd password rules force users to create complex passwords for the sake of enhanced security. However, users often struggle to create and recall such passwords and resort to techniques such as writing them down, reusing them, and storing them in vulnerable ways. The use and management of passwords have become one of the biggest challenges for users and security experts today. The strength of a password directly correlates to its security. In addition, we define the pronunciability of a password as a means to measure how easy it is to memorize – an aspect we associate with usability. These metrics, along with the opinions of real users from an online survey, will be used to empirically analyze the relationship between usability and security in user passwords. This project analyzes a dataset of 300,000 passwords, to determine whether the user-generated passwords are both usable and secure. By quantifying the password strength and predicting the pronunciability of a password, we design a framework to map the relationship between the two. We find that passwords are either secure or usable, but they rarely ace in both aspects. Furthermore, we suggest how password creation strategies can be adapted to better align with usable security.