This paper describes research associated with systems security. It will be of interest to system administrators and people monitoring network security for an organization. It will also be of interest to people doing research in systems security.
The title of this paper is based on a well-known xkcd comic strip [1]. The point of the paper is that it is very easy to remember a password or passphrase with high entropy. The authors lump together the terms “password” and “passphrase” into the term “secret.” Thus, a secret can represent either a password or a passphrase.
The authors recruited participants using Amazon’s Mechanical Turk (MTurk) crowdsourcing service. They received 55 cents for completing the first part of the study and an additional 70 cents for completing the second part. The participants were at least 18 years old, lived in the US, and had never participated in a previous study on passwords.
The authors used the following scenario to assess how users create secrets: “Your main email service provider has been attacked[;] ... because of the attack, your email service provider is also changing its password rules. Instead of choosing your own password, one will be assigned to you.” The participants then answered a brief survey about their experiences learning their new secrets.
Forty-eight hours after completing the first part of the study, the participants received an email asking them to return for part two. The participants were then asked to log in using their assigned secrets. The authors recorded the success of these logins and whether or not the participants had to click on the “Forgot Password” link. After logging in, the participants completed another survey about how they had remembered their secrets, including whether or not they had written them down. The authors found that the system-assigned passwords were not well liked by users. The vast majority of users opted to store them (write them down in some manner).
The authors experimented with secrets composed of words drawn from a variety of dictionaries. They conjecture that they “may be able to create high-entropy [secrets] while selecting dictionaries that meet certain properties.”
The authors found few differences between three-word and four-word secrets. Three- and four-word secrets with the same entropy are approximately the same length and result in similar typing speeds and error rates.
Overall, this is an interesting paper. The authors note the standard methods for solving this password problem: generate a random set of characters that is difficult for someone to memorize, or establish a set of complex rules that requires a person to generate his or her own secret using a combination of letters, numbers, and punctuation marks. Regardless of how such secrets are generated, people are forced to either write them down on paper or use a password management system to store and retrieve them. The authors hint that secrets with three or four words and high entropy may be the best solution for this problem because they are easier to remember.