User authentication is an important part of most information systems that require some level of security. Due to their ease of use, wide deployment, and user familiarity, passwords have been the most widely adopted user authentication mechanism in the past and are likely to continue to be an important part of cybersecurity for the foreseeable future. At the same time, it is well known that there is a tension between the security and usability of passwords. Often times, secure passwords are difficult to memorize, making them less usable, whereas passwords that are memorable tend to be predictable and discoverable. This project aims to improve the complex password ecosystem, including ways to help both human users and websites that require passwords. One research thrust focuses on developing techniques to help human users, and in particular, ways that effectively train humans in the skills to create and remember secure passwords. Another research thrust focuses on studying how to improve the password-generation interface of the website, which plays a decisive role in users' performance of password generation.
To help human users, the project aims to develop and evaluate mental password generation strategies--cognitive algorithms that can be executed by humans--for generating high-entropy passwords that can be acquired and implemented by human users. An effective generation strategy should be easy to use, and the resulting passwords should be both unpredictable and easy to recall. Another major challenge a user faces is the large number of accounts that need passwords. The researchers are studying effective mental password management systems, in which passwords for different accounts are organized in a hierarchical manner and related to the website domain name to make recall easier, while it remains difficult for an attacker who possesses such a password to easily guess another. To help websites promote user-centered and safe password generation, this project studies how to improve the password-generation interface of the website by developing effective password strength communication and embedded training methods. The project poses the research question of how should websites check for weak passwords and effectively warn against or forbid their use, without imposing excess effort on the user.
