Learning from Authoritative Security Experiment Results
Text Entry Method Affects Password Security
Yulong Yang, Rutgers University
Janne Lindqvist, Rutgers University
Antti Oulasvirta, Aalto University
Abstract
Background. Text-based passwords continue to be the primary form of authentication to computer systems. Today, they are increasingly created and used with mobile text entry methods, such as touchscreen qwerty keyboards, in addition to traditional physical keyboards. Aim. This paper aims to answer a foundational question for usable security: whether text entry methods affect password generation and password security.
Aim. This paper aims to answer a foundational question for usable security: whether text entry methods affect password generation and password security.
Method. This paper presents results from a betweengroup study with 63 participants, in which each group generated passwords for multiple virtual accounts using different text entry methods. Participants were also asked to recall their passwords afterwards.
Results. One-way ANOVA across groups was performed on metrics including password length, amount of different characters, and estimated password security. The results showed significant effect of text entry methods on the amount of lowercase letters per password across groups (F(2,60) = 3.186, p = .048, n(2/p) = .257), while non-significant effect on the password length, amount of uppercase letters, digits or symbols. No significant result was found from the estimated password security. The result of practical cracking attacks was also similar across groups.
Conclusion. Text entry methods have effect on password security. However, the effect is subtler than expected.