An Empirical Study of Mnemonic Password Recall Errors


Aiping Xiong, The Pennsylvania State University; Huangyi Ge, Robert W. Proctor, Jeremiah Blocki, and Ninghui Li, Purdue University


A mnemonic password generation strategy with explicit instructions and an example of a personalized sentence was shown previously to increase the security of the resulting passwords. But the recall rate of the passwords was low. We report one online study quantifying what errors were made and how often they were made when participants confirmed and recalled passwords created with an instruction of mnemonic personalized example. The study also investigated whether an extra implementation-intention instruction improved the short-term and long-term recall of the passwords, but it was found to be ineffective. Error analyses revealed common failure types but varied rates across password confirmation and recalls. A handful of human memory limitations were also evident: 1) interference of association from common usage; 2) forgotten with a lack of encoding specificity; 3) forgetting/interference of the last letter position of passwords with limited memory span. Based on the findings, we provide suggestions to improve the mnemonic strategy.

    author = {Xiong, Aiping and Ge, Huangyi and Proctor, Robert W. and Blocki, Jeremiah and Li, Ninghui},
    title = {{An Empirical Study of Mnemonic Password Recall Errors}},
    booktitle = {Who Are You?! Adventures in Authentication Workshop},
    year = {2019},
    series = {WAY~'19},
    pages = {1--6},
    address = {Santa Clara, California, USA},
    month = aug,
    publisher = {}
} % No publisher