Full Program »
User Perceptions of Five-Word Passwords
Prior research has shown that human-chosen passwords are often short and selected non-uniformly, making many of them susceptible to automated guessing attacks. To help users to select passwords that are harder to guess but are still memorable, security experts have recommended the use of passphrases, where users select multiple words or phrases as their password, rather than a random sequence of numbers, digits, and symbols. In this paper, we explore one such strategy for passphrase selection, so-called five-word passwords, where users are assigned five random words to form the basis of a passphrase. Such a password composition policy was recently adopted for all accounts at an Anonymous University beginning in December 2020. Through a two-part online survey (𝑛 = 150 and 𝑛 = 116), participants selected a five-word password under different conditions of password selection. We find that computer-generated five-word passwords have more diverse words and are thus likely more secure than five-word passwords where users select each of the words. Interestingly, while all cases of five-word passwords are likely more secure than a human-generated, traditional password, participants expressed misconceptions regarding the security of five-word passwords (and passwords generally). Several participants assumed that these passwords are insecure because they do not have multiple character classes, despite the additional length adding substantial security. Despite increased security, five-word passwords appear to negatively impact usability, with only 39.7% of participants successfully recalling their password after two weeks. Our results indicate that five-word passwords are a promising way to improve password security, but more outreach is needed to explain their security benefits and reduce their usability burdens.