poster

Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password Creation

Authors:

Yasmeen Abdrabou,

Yomna Abdelrahman,

Mohamed Khamis, and

Florian AltAuthors Info & Claims

CHI EA '21: Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems

May 2021

Article No.: 259, Pages 1 - 7

https://doi.org/10.1145/3411763.3451636

Published: 08 May 2021 Publication History

Abstract

Strict password policies can frustrate users, reduce their productivity, and lead them to write their passwords down. This paper investigates the relation between password creation and cognitive load inferred from eye pupil diameter. We use a wearable eye tracker to monitor the user’s pupil size while creating passwords with different strengths. To assess how creating passwords of different strength (namely weak and strong) influences users’ cognitive load, we conducted a lab study (N = 15). We asked the participants to create and enter 6 weak and 6 strong passwords. The results showed that passwords with different strengths affect the pupil diameter, thereby giving an indication of the user’s cognitive state. Our initial investigation shows the potential for new applications in the field of cognition-aware user interfaces. For example, future systems can use our results to determine whether the user created a strong password based on their gaze behavior, without the need to reveal the characteristics of the password.

References

[1]

Anne Adams, Martina Angela Sasse, and Peter Lunt. 1997. Making passwords secure and usable. In People and Computers XII. Springer, 1–19.

[2]

Sylvia Kiosterud Ahern. 1979. Activation and intelligence: Pupillometric correlates of individual differences in cognitive abilities.(1979).

[3]

Mahdi Nasrullah Al-Ameen, Matthew Wright, and Shannon Scielzo. 2015. Towards Making Random Passwords Memorable: Leveraging Users’ Cognitive Ability Through Multiple Cues. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (Seoul, Republic of Korea) (CHI ’15). Association for Computing Machinery, New York, NY, USA, 2315–2324. https://doi.org/10.1145/2702123.2702241

Digital Library

[4]

Tanya Bafna, John Paulin Paulin Hansen, and Per Baekgaard. 2020. Cognitive Load during Eye-Typing. In ACM Symposium on Eye Tracking Research and Applications (Stuttgart, Germany) (ETRA ’20 Full Papers). Association for Computing Machinery, New York, NY, USA, Article 23, 8 pages. https://doi.org/10.1145/3379155.3391333

Digital Library

[5]

Richard Baskerville and Mikko Siponen. 2002. An information security meta-policy for emergent organizations. Logistics Information Management(2002).

[6]

J Beatty and B Lucero-Wagoner. 2000. The pupillary system In T. Cacioppo, L. Tassinary & G. Berntson (Eds.), Handbook of Psychophsyiology (pp. 142-162).

[7]

I Chen, Chi-Cheng Chang, 2009. Cognitive load theory: An empirical study of anxiety and task performance in language learning. (2009).

[8]

Siyuan Chen and Julien Epps. 2014. Using Task-Induced Pupil Diameter and Blink Rate to Infer Cognitive Load. Human–Computer Interaction 29, 4 (2014), 390–413. https://doi.org/10.1080/07370024.2014.892428

Digital Library

[9]

Siyuan Chen, Julien Epps, and Fang Chen. 2013. Automatic and Continuous User Task Analysis via Eye Activity. In Proceedings of the 2013 International Conference on Intelligent User Interfaces (Santa Monica, California, USA) (IUI ’13). Association for Computing Machinery, New York, NY, USA, 57–66. https://doi.org/10.1145/2449396.2449406

Digital Library

[10]

Dan Conway, Ian Dick, Zhidong Li, Yang Wang, and Fang Chen. 2013. The Effect of Stress on Cognitive Load Measurement. In Human-Computer Interaction – INTERACT 2013, Paula Kotzé, Gary Marsden, Gitte Lindgaard, Janet Wesson, and Marco Winckler(Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 659–666.

Digital Library

[11]

Andrew T. Duchowski, Krzysztof Krejtz, Izabela Krejtz, Cezary Biele, Anna Niedzielska, Peter Kiefer, Martin Raubal, and Ioannis Giannopoulos. 2018. The Index of Pupillary Activity: Measuring Cognitive Load Vis-à-Vis Task Difficulty with Pupil Oscillation. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI ’18). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3173574.3173856

Digital Library

[12]

David Eargle, John Godfrey, Hsin Miao, Scott Stevenson, Richard Shay, Blase Ur, and Lorrie Cranor. 2015. You can do better—motivational statements in password-meter feedback. Proc. SOUPS Posters (2015).

[13]

Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Paris, France) (CHI ’13). Association for Computing Machinery, New York, NY, USA, 2379–2388. https://doi.org/10.1145/2470654.2481329

Digital Library

[14]

Sandra G Hart and Lowell E Staveland. 1988. Development of NASA-TLX (Task Load Index): Results of empirical and theoretical research. In Advances in psychology. Vol. 52. Elsevier, 139–183.

[15]

Eckhard H Hess and James M Polt. 1964. Pupil size in relation to mental activity during simple problem-solving. Science 143, 3611 (1964), 1190–1192.

[16]

Sazzad Hussain, Siyuan Chen, Rafael A Calvo, and Fang Chen. 2011. Classification of cognitive load from task performance & multichannel physiology during affective changes. In Conference on Multimodal Interaction. 1–4.

[17]

Curtis S. Ikehara and M. Crosby. 2005. Assessing Cognitive Load with Physiological Sensors. Proceedings of the 38th Annual Hawaii International Conference on System Sciences (2005), 295a–295a.

Digital Library

[18]

Philip G. Inglesant and M. Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA) (CHI ’10). Association for Computing Machinery, New York, NY, USA, 383–392. https://doi.org/10.1145/1753326.1753384

Digital Library

[19]

Shamsi T. Iqbal, Piotr D. Adamczyk, Xianjun Sam Zheng, and Brian P. Bailey. 2005. Towards an Index of Opportunity: Understanding Changes in Mental Workload during Task Execution. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Portland, Oregon, USA) (CHI ’05). Association for Computing Machinery, New York, NY, USA, 311–320. https://doi.org/10.1145/1054972.1055016

Digital Library

[20]

Marcel A Just and Patricia A Carpenter. 1993. The intensity dimension of thought: pupillometric indices of sentence processing.Canadian Journal of Experimental Psychology/Revue canadienne de psychologie expérimentale 47, 2 (1993), 310.

[21]

Khaled Kassem, Jailan Salah, Yasmeen Abdrabou, Mahesty Morsy, Reem El-Gendy, Yomna Abdelrahman, and Slim Abdennadher. 2017. DiVA: Exploring the Usage of Pupil DiAmeter to Elicit VAlence and ARousal. In Proceedings of the 16th International Conference on Mobile and Ubiquitous Multimedia (Stuttgart, Germany) (MUM ’17). Association for Computing Machinery, New York, NY, USA, 273–278. https://doi.org/10.1145/3152832.3152836

Digital Library

[22]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In 2012 IEEE Symposium on Security and Privacy. 523–537. https://doi.org/10.1109/SP.2012.38

Digital Library

[23]

Peter Kiefer, Ioannis Giannopoulos, Andrew Duchowski, and Martin Raubal. 2016. Measuring Cognitive Load for Map Tasks Through Pupil Diameter. In Geographic Information Science, Jennifer A. Miller, David O’Sullivan, and Nancy Wiegand(Eds.). Springer International Publishing, Cham, 323–337.

[24]

Jeff Klingner. 2010. Measuring Cognitive Load During Visual Tasks by Combining Pupillometry and Eye Tracking. Ph.D. Dissertation. Stanford University, Department of Computer Science. http://purl.stanford.edu/mv271zd7591

[25]

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Vancouver, BC, Canada) (CHI ’11). Association for Computing Machinery, New York, NY, USA, 2595–2604. https://doi.org/10.1145/1978942.1979321

Digital Library

[26]

Thomas Kosch, Mariam Hassib, Daniel Buschek, and Albrecht Schmidt. 2018. Look into My Eyes: Using Pupil Dilation to Estimate Mental Workload for Task Complexity Adaptation. In Extended Abstracts of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI EA ’18). Association for Computing Machinery, New York, NY, USA, 1–6. https://doi.org/10.1145/3170427.3188643

Digital Library

[27]

Stephen Mujeye and Yair Levy. 2013. Complex passwords: How far is too far? The role of cognitive load on employee productivity. Online Journal of Applied Knowledge Management (OJAKM) 1, 1(2013), 122–132.

[28]

R. O’donnell and F. T. Eggemeier. 1986. Workload assessment methodology.

[29]

Fred GWC Paas and Jeroen JG Van Merriënboer. 1993. The efficiency of instructional conditions: An approach to combine mental effort and performance measures. Human factors 35, 4 (1993), 737–743.

[30]

Oskar Palinko, Andrew L. Kun, Alexander Shyrokov, and Peter Heeman. 2010. Estimating Cognitive Load Using Remote Eye Tracking in a Driving Simulator. In Proceedings of the 2010 Symposium on Eye-Tracking Research & Applications (Austin, Texas) (ETRA ’10). Association for Computing Machinery, New York, NY, USA, 141–144. https://doi.org/10.1145/1743666.1743701

Digital Library

[31]

Mudassar Raza, Muhammad Iqbal, Muhammad Sharif, and Waqas Haider. 2012. A survey of password attacks and comparative analysis on methods for secure authentication. World Applied Sciences Journal 19, 4 (2012), 439–444.

[32]

Prentice Reeves. 1920. The response of the average pupil to various intensities of light. JOSA 4, 2 (1920), 35–43.

[33]

Ramón Romance, Adriana Nielsen-Rodríguez, Javier Benítez-Porres, José Luis Chinchilla-Minguet, and Honorato Morente-Oria. 2018. Cognitive Effects and educational possibilities of physical activity in sustainable cities. Sustainability 10, 7 (2018), 2420.

[34]

Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (Seoul, Republic of Korea) (CHI ’15). Association for Computing Machinery, New York, NY, USA, 2903–2912. https://doi.org/10.1145/2702123.2702586

Digital Library

[35]

Jeffrey M. Stanton, Kathryn R. Stam, Paul Mastrangelo, and Jeffrey Jolton. 2005. Analysis of End User Security Behaviors. Comput. Secur. 24, 2 (March 2005), 124–133. https://doi.org/10.1016/j.cose.2004.07.001

Digital Library

[36]

John Sweller. 2011. Cognitive load theory. In Psychology of learning and motivation. Vol. 55. Elsevier, 37–76.

[37]

Masaaki Tanaka, Akira Ishii, and Yasuyoshi Watanabe. 2015. Effects of mental fatigue on brain activity and cognitive performance: a magnetoencephalography study. Anat Physiol 4(2015), 1–5.

[38]

Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Do Users’ Perceptions of Password Security Match Reality?. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI ’16). Association for Computing Machinery, New York, NY, USA, 3748–3760. https://doi.org/10.1145/2858036.2858546

Digital Library

[39]

Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In 21st USENIX Security Symposium (USENIX Security 12). USENIX Association, Bellevue, WA, 65–80. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/ur

Digital Library

[40]

Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. ”I Added ’!’ at the End to Make It Secure”: Observing Password Creation in the Lab. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). USENIX Association, Ottawa, 123–140. https://www.usenix.org/conference/soups2015/proceedings/presentation/ur

[41]

Pauline van der Wel and Henk van Steenbergen. 2018. Pupil dilation as an index of effort in cognitive control tasks: A review. Psychonomic bulletin & review 25, 6 (2018), 2005–2015.

[42]

Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS ’10). Association for Computing Machinery, New York, NY, USA, 162–175. https://doi.org/10.1145/1866307.1866327

Digital Library

[43]

Daniel Lowe Wheeler. 2016. zxcvbn: Low-budget password strength estimation. In 25th {USENIX} Security Symposium ({USENIX} Security 16). 157–173.

Cited By

Grootjen JWeingärtner HMayer S(2024)Uncovering and Addressing Blink-Related Challenges in Using Eye Tracking for Interactive SystemsProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642086(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642086
Albesher A(2023)Reviewing the Usability of Web Authentication Procedures: Comparing the Current Procedures of 20 WebsitesSustainability10.3390/su15141104315:14(11043)Online publication date: 14-Jul-2023
https://doi.org/10.3390/su151411043
Abdrabou YSchütte JShams APfeuffer KBuschek DKhamis MAlt F(2022)”Your Eyes Tell You Have Used This Password Before”: Identifying Password Reuse from Gaze and Keystroke DynamicsProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3517531(1-16)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3491102.3517531
Show More Cited By

Index Terms

Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password Creation
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services

Index terms have been assigned to the content through auto-classification.

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI EA '21: Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems

May 2021

2965 pages

ISBN:9781450380959

DOI:10.1145/3411763

Editors:
Yoshifumi Kitamura
Tohoku University, Japan
,
Aaron Quigley
University of New South Wales, Australia
,
Katherine Isbister
University of California Santa Cruz, USA
,
Takeo Igarashi
The University of Tokyo, Japan

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Poster
Research
Refereed limited

Funding Sources

DFG
Studienstiftung des deutschen Volkes (German Academic Scholarship Foundation
Royal Society of Edinburgh (RSE)
EPSRC
dtec.bw ? Digitalization and Technology Research Center of the Bundeswehr (Voice of Wisdom)

Conference

CHI '21

Sponsor:

SIGCHI

CHI '21: CHI Conference on Human Factors in Computing Systems

May 8 - 13, 2021

Yokohama, Japan

Acceptance Rates

Overall Acceptance Rate 6,164 of 23,696 submissions, 26%

Upcoming Conference

CHI PLAY '24

Sponsor:
sigchi

The Annual Symposium on Computer-Human Interaction in Play

October 14 - 17, 2024

Tampere , Finland

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
381
Total Downloads

Downloads (Last 12 months)61
Downloads (Last 6 weeks)8

Other Metrics

View Author Metrics

Citations

Cited By

Grootjen JWeingärtner HMayer S(2024)Uncovering and Addressing Blink-Related Challenges in Using Eye Tracking for Interactive SystemsProceedings of the CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642086(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642086
Albesher A(2023)Reviewing the Usability of Web Authentication Procedures: Comparing the Current Procedures of 20 WebsitesSustainability10.3390/su15141104315:14(11043)Online publication date: 14-Jul-2023
https://doi.org/10.3390/su151411043
Abdrabou YSchütte JShams APfeuffer KBuschek DKhamis MAlt F(2022)”Your Eyes Tell You Have Used This Password Before”: Identifying Password Reuse from Gaze and Keystroke DynamicsProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3517531(1-16)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3491102.3517531
Qu LXiao RShi W(2022)Towards Practical Personalized Security Nudge Schemes: Investigating the Moderation Effects of Behavioral Features on Nudge EffectsScience of Cyber Security10.1007/978-3-031-17551-0_33(505-521)Online publication date: 10-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-17551-0_33
Schmeelk SThakur KAli MDragos DAl-Hayajneh APramana B(2021)Top Reported Data Security Risks in the Age of COVID-192021 IEEE 12th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON)10.1109/UEMCON53757.2021.9666573(0204-0208)Online publication date: 1-Dec-2021
https://doi.org/10.1109/UEMCON53757.2021.9666573

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents