IMPROVING MEMORIZATION AND LONG TERM RECALL OF SYSTEM ASSIGNED PASSWORDS By JAYESH DOOLANI Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON DECEMBER 2016 Copyright © by Jayesh Doolani 2016 All Rights Reserved ii To my family, friends and to my advisor, Dr. Matthew Wright, who guided me to where I am today. iii ACKNOWLEDGEMENTS I would like to thank my supervising professor Dr. Matthew Wright for his guidance, motivation and invaluable support throughout my graduate studies. He always guided me and gave constructive feedback about my work. It was a great learning experience for me under his guidance. I am grateful to Dr. Filia Makedon and to Dr. John Robb for taking time to serve on my thesis committee. I would specially like to mention the key role Dr. Fillia Makedon’s course on Human Computer Interaction played and was extremely beneficial for me in completing this thesis. I also want to thank Dr. Taiabul Haque for his key inputs and for providing great insights in this research area. I am also grateful to Dr. Feraydune Kashefi of Computer Science department who helped us recruit his class students for our user study. Last but not the least, I would like to express my deepest gratitude to my parents who encouraged and motivated me to pursue my MS. This research would not have been possible without their emotional support. November 11, 2016 iv ABSTRACT IMPROVING MEMORIZATION AND LONG TERM RECALL OF SYSTEM ASSIGNED PASSWORDS Jayesh Doolani, M.S. The University of Texas at Arlington, 2016 Supervising Professor: Matthew Wright Systems assigned passwords have guaranteed robustness against guessing attacks, but they are hard to memorize. To make system assigned passwords more usable, it is of prime importance that systems that assign random passwords also assist users with memorization and recall. In this work, we have designed a novel technique that employs rote memorization in form of an engaging game, which is played during the account registration process. Based on prior work on chunking, we break a password into 3 equal chunks, and then the game helps plant those chunks in memory. We present the findings of 17-participant user study, where we explored the usability of 9 characters long pronounceable system assigned passwords. Results of the study indicate that our system was effective in training users to memorize the random password at an average registration time of 6 minutes, but the long-term recall rate of 71.4% did not match our expectation. On thorough evaluation of the system and the results, we identified potential areas of improvement and present a modified system design to improve the long-term recall rate. v TABLE OF CONTENTS ACKNOWLEDGEMENTS . iv ABSTRACT . v LIST OF ILLUSTRATIONS . ix Chapter Page 1. INTRODUCTION . 1 2. RELATED WORK . 5 2.1. User-chosen Passwords . 6 2.2. System-assigned Passwords . 7 2.2.1. Pronounceable Passwords . 7 2.2.2. Passphrases . 8 2.2.3. Mnemonic Passwords . 9 3. SYSTEM MODEL . 11 3.1. System Design . 11 3.1.1. Random Password Generator . 12 3.1.2. Game Design . 13 3.1.2.1. The Distractor Task . 15 3.1.3. Development Platform and Tools . 15 3.2. Science behind Proposed Technique . 16 3.2.1. Rote Memorization . 17 3.2.2. Chunking . 18 4. USER STUDY . 20 vi 4.1. Participants . 20 4.1.1. Recruitment . 20 4.1.2. Demographics . 20 4.2. Apparatus . 21 4.3. Procedure . 21 4.3.1. Phase 1 . 22 4.3.2. Phase 2 . 22 4.4. Ecological Validity . 23 5. RESULTS AND DISCUSSION . 24 5.1. Results . 24 5.1.1. Memorability . 24 5.1.2. Registration Time . 24 5.1.3. Login Time . 25 5.1.4. Number of Attempts . 26 5.1.5. User Feedback . 26 5.2. Discussion . 28 5.2.1. Memorability . 29 5.2.2. Registration Time . 30 5.2.3. Login Time . 30 5.2.4. User Feedback . 30 5.3. Key Takeaways . 31 vii 6. MODIFIED SYSTEM MODEL . 32 6.1. System Design . 32 6.1.1. Password Generator . 33 6.1.2. Method of Loci . 33 6.1.3. Development Platform and Tools . 36 7. CONCLUSION AND FUTUREWORK . 37 APPENDIX A . 39 APPENDIX B . 44 REFERENCES . 49 BIOGRAPHICAL STATEMENT . 55 viii LIST OF ILLUSTRATIONS Figure Page Figure 3-1 Sample output of tweaked version of pronounce3 password scheme . 13 Figure 3-2 A screenshot of our game containing a falling ball and a cup . 14 Figure 3-3 Screenshot of the game with a distractor task . 16 Figure 3-4 Atkinson-Shiffrin Memory Model . 17 Figure 5-1 User responses to survey questions after Phase 1 . 27 Figure 5-2 User responses to survey questions after Phase 2 . ..