Full Text

1. Introduction

A big portion of almost everyone’s lives is linked with online services and various computer systems. We are using information and communications technology for everything from buying groceries to communication at work. Much like having a lock and key to protect what is of importance in the physical world and passports to prove your identity, the ability to identify yourself and what you are allowed to access is of high importance in the digital world. To prove one’s identity online and thus proving yourself to be the owner of the account, authentication is used (Nielsen et al., 2014). The probably most common means of authentication are passwords (Nielsen et al., 2014; Houshmand and Aggarwal, 2017). Woods and Siponen (2018) even discuss that password use will continue to increase in the future making the need for secure passwords obvious.

While many actors try to emphasize the use of strong passwords, users tend to use strategies to make their passwords easy to remember (Zviran and Haga, 1990; Ur et al., 2015; Stobert and Biddle, 2014). Pfleeger et al. (2015) discuss that users are afraid that they will forget their passwords if they do not use some strategy to make them memorable. In a world where the number of accounts that every user must handle is growing, using those strategies is not at all strange. After all, the human memory is a limited resource not designed to keep track of multiple complex passwords (Vu et al., 2007). However, the consequence is that many passwords are inherently insecure and can be cracked in minutes.

The conflict between strong and memorable passwords opens up the discussion of what a secure password actually is? Much like Weirich and Sasse (2001), we argue that passwords are socio-technical properties where the user, as well as the computer system, must be considered equally. For a password to be computationally secure, it must be able to resist attacks for a reasonable amount of time or in other words, be hard to guess using a dictionary or brute force attack. This property is typically achieved by having long passwords that contain different types of characters. It is reasonable to measure the computational security of a password in terms of...