research-article

Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance

Authors:

Emanuel von Zezschwitz,

Alexander De Luca,

Heinrich HussmannAuthors Info & Claims

NordiCHI '14: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational

Pages 461 - 470

https://doi.org/10.1145/2639189.2639218

Published: 26 October 2014 Publication History

Abstract

In this paper, we present the results of two studies on the influence of mobile devices on authentication performance and password composition. A pre-study in the lab (n = 24) showed a lower performance for password-entry on mobile devices, in particular on smartphones. The main study (n = 450) showed a trend that alphanumeric passwords are increasingly created on smartphones and tablets. Moreover, a negative effect on password security could be observed as users fall back to using passwords that are easier to enter on the respective devices.

This work contributes to the understanding of mobile password-entry and its effects on security in the following ways: (a) we tested different types of commonly used passwords (b) on all relevant devices, and (c) we present analytic and empirical evidence for the differences that (d) are likely to influence overall security or reduce secure behavior with respect to password-entry on mobile devices.

References

[1]

Adams, A., and Sasse, M. A. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 40--46.

Digital Library

[2]

Bao, P., Pierce, J., Whittaker, S., and Zhai, S. Smart phone use by non-mobile business users. In Proc. MobileHCI '11, ACM (2011), 445--454.

Digital Library

[3]

Böhmer, M., Hecht, B., Schöning, J., Krüger, A., and Bauer, G. Falling asleep with angry birds, facebook and kindle: a large scale study on mobile application usage. In Proc. MobileHCI '11, ACM (2011), 47--56.

Digital Library

[4]

Bonneau, J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proc. SP '12, IEEE (2012), 538--552.

Digital Library

[5]

Card, S. K., Moran, T. P., and Newell, A. The keystroke-level model for user performance time with interactive systems. Commun. ACM 23, 7 (July 1980), 396--410.

Digital Library

[6]

Chin, E., Felt, A. P., Sekar, V., and Wagner, D. Measuring user confidence in smartphone security and privacy. In Proc. SOUPS '12, ACM (New York, NY, USA, 2012), 1:1--1:16.

Digital Library

[7]

Corbató, F. J., Merwin-Daggett, M., and Daley, R. C. An experimental time-sharing system. In Proc. spring joint computer conference '62, ACM (1962), 335--344.

Digital Library

[8]

Downs, J. S., Holbrook, M. B., Sheng, S., and Cranor, L. F. Are your participants gaming the system?: Screening mechanical turk workers. In Proc. CHI '10, ACM (New York, NY, USA, 2010), 2399--2402.

Digital Library

[9]

Fahl, S., Harbach, M., Acar, Y., and Smith, M. On the ecological validity of a password study. In Proc. SOUPS '13, ACM (New York, NY, USA, 2013), 13:1--13:13.

Digital Library

[10]

Florencio, D., and Herley, C. A large-scale study of web password habits. In Proc. WWW '07, ACM (New York, NY, USA, 2007), 657--666.

Digital Library

[11]

Florêncio, D., and Herley, C. Where do security policies come from? In Proc. SOUPS '10, ACM (New York, NY, USA, 2010), 10:1--10:14.

Digital Library

[12]

Gasser, M. A random word generator for pronounceable passwords. Tech. rep., DTIC Document, 1975.

[13]

Grawemeyer, B., and Johnson, H. Using and managing multiple passwords: A week to a view. Interacting with Computers 23, 3 (2011), 256--267.

Digital Library

[14]

Hayashi, E., and Hong, J. A diary study of password usage in daily life. In Proc. CHI '11, ACM (2011), 2627--2630.

Digital Library

[15]

Hoggan, E., Brewster, S. A., and Johnston, J. Investigating the effectiveness of tactile feedback for mobile touchscreens. In Proc. CHI '08, ACM (2008), 1573--1582.

Digital Library

[16]

Inglesant, P. G., and Sasse, M. A. The true cost of unusable password policies: password use in the wild. In Proc. CHI '10, ACM (2010), 383--392.

Digital Library

[17]

Jakobsson, M., and Akavipat, R. Rethinking passwords to adapt to constrained keyboards, 2011.

[18]

Kelley, P. G. Conducting Usable Privacy & Security Studies with Amazon's Mechanical Turk. In Proc. SOUPS '10 (2010).

[19]

Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. Of passwords and people: measuring the effect of password-composition policies. In Proc. CHI '11, ACM (2011), 2595--2604.

Digital Library

[20]

Malone, D., and Maher, K. Investigating the distribution of password choices. In Proc. WWW '12, ACM (2012), 301--310.

Digital Library

[21]

Schaub, F., Deyhle, R., and Weber, M. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. MUM '12, ACM (New York, NY, USA, 2012), 13:1--13:10.

Digital Library

[22]

Schaub, F., Walch, M., Könings, B., and Weber, M. Exploring the design space of graphical passwords on smartphones. In Proc. SOUPS '13, ACM (New York, NY, USA, 2013), 11:1--11:14.

Digital Library

[23]

Schlöglhofer, R., and Sametinger, J. Secure and usable authentication on mobile devices. In Proc. MoMM '12, ACM (2012), 257--262.

Digital Library

[24]

Schneier, B. Real-world passwords. Schneier on Security (2006).

[25]

Sears, A., Revis, D., Swatski, J., Crittenden, R., and Shneiderman, B. Investigating touchscreen typing: the effect of keyboard size on typing speed. Behaviour & Information Technology 12, 1 (1993), 17--22.

[26]

Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS '10, ACM (New York, NY, USA, 2010), 2:1--2:20.

Digital Library

[27]

Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? the effect of strength meters on password creation. In Proc. Security '12, USENIX Association (Berkeley, CA, USA, 2012), 5--5.

Digital Library

[28]

von Zezschwitz, E., De Luca, A., and Hussmann, H. Survival of the shortest: A retrospective analysis of influencing factors on password composition. In Proc. INTERACT '13. Springer Berlin Heidelberg, 2013, 460--467.

[29]

von Zezschwitz, E., Dunphy, P., and De Luca, A. Patterns in the wild: a field study of the usability of pattern and pin-based authentication on mobile devices. In Proc. MobileHCI '13, ACM (New York, NY, USA, 2013), 261--270.

Digital Library

Cited By

Arias-Cabarcos PFallahi MHabrich TSchulze KBecker CStrufe T(2023)Performance and Usability Evaluation of Brainwave Authentication Techniques with Consumer DevicesACM Transactions on Privacy and Security10.1145/357935626:3(1-36)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3579356
Alkaldi NRenaud K(2022)MIGRANTACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3533692.353369853:2(63-95)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3533692.3533698
Markert PBailey DGolla MDürmuth MAviv A(2021)On the Security of Smartphone Unlock PINsACM Transactions on Privacy and Security10.1145/347304024:4(1-36)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3473040
Show More Cited By

Index Terms

Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance

Recommendations

Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems

Recent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Passwords decay, words endure: secure and re-usable multiple password mnemonics
SAC '07: Proceedings of the 2007 ACM symposium on Applied computing

Research on password authentication systems has repeatedly shown that people choose weak passwords because of the difficulty of remembering random passwords. Moreover, users with multiple passwords for unrelated activities tend to choose almost similar ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

NordiCHI '14: Proceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational

October 2014

361 pages

ISBN:9781450325424

DOI:10.1145/2639189

General Chairs:
Virpi Roto,
Jonna Häkkilä,
Program Chairs:
Kaisa Väänänen-Vainio-Mattila,
Oskar Juhlin,
Publications Chairs:
Thomas Olsson,
Ebba Hvannberg

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

NordiCHI '14

NordiCHI '14: The 8th Nordic Conference on Human-Computer Interaction

October 26 - 30, 2014

Helsinki, Finland

Acceptance Rates

NordiCHI '14 Paper Acceptance Rate 89 of 361 submissions, 25%;

Overall Acceptance Rate 379 of 1,572 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
297
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Arias-Cabarcos PFallahi MHabrich TSchulze KBecker CStrufe T(2023)Performance and Usability Evaluation of Brainwave Authentication Techniques with Consumer DevicesACM Transactions on Privacy and Security10.1145/357935626:3(1-36)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3579356
Alkaldi NRenaud K(2022)MIGRANTACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3533692.353369853:2(63-95)Online publication date: 27-Apr-2022
https://dl.acm.org/doi/10.1145/3533692.3533698
Markert PBailey DGolla MDürmuth MAviv A(2021)On the Security of Smartphone Unlock PINsACM Transactions on Privacy and Security10.1145/347304024:4(1-36)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3473040
Ndako Adama VOyebisi Oyefolahan INdunagu JLamas DNeves Cabral Domingos LOgunyemi AOrji RBidwell NMboya A(2021)Pure Recall-Based Graphical User Authentication Schemes: Perspectives from a Closer Look3rd African Human-Computer Interaction Conference: Inclusiveness and Empowerment10.1145/3448696.3448721(141-145)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1145/3448696.3448721
Liang CYu CWei XXu XHu YWang YShi YKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)Auth+Track: Enabling Authentication Free Interaction on Smartphone by Continuous User TrackingProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445624(1-16)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445624
Zhou LWang KLai JZhang D(2021)Behaviors of Unwarranted Password Identification via Shoulder-Surfing during Mobile Authentication2021 IEEE International Conference on Intelligence and Security Informatics (ISI)10.1109/ISI53945.2021.9624730(1-3)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1109/ISI53945.2021.9624730
Wiefling SDürmuth MLo Iacono L(2021)What’s in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication CharacteristicsFinancial Cryptography and Data Security10.1007/978-3-662-64331-0_19(361-381)Online publication date: 1-Mar-2021
https://dl.acm.org/doi/10.1007/978-3-662-64331-0_19
Wiefling SDürmuth MLo Iacono L(2020)More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based AuthenticationProceedings of the 36th Annual Computer Security Applications Conference10.1145/3427228.3427243(203-218)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3427228.3427243
Markert PBailey DGolla MDurmuth MAviv A(2020)This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00100(286-303)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00100
Hadjidemetriou GBelk MFidas CPitsillides ABrewster SFitzpatrick GCox AKostakos V(2019)Picture Passwords in Mixed RealityExtended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems10.1145/3290607.3313076(1-6)Online publication date: 2-May-2019
https://dl.acm.org/doi/10.1145/3290607.3313076
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents