Ph.D. Computer Science (2015) Carleton University, Ottawa, ON, Canada

Thesis: Graphical Passwords and Practical Password Management

Text passwords pose a number of difficulties for end users, who must create, remember, and manage large numbers of passwords. Users are often regarded as the weak link in security systems, but they are a crucial component of the system, and need to be better considered in the design of security products. Many password alternatives have been proposed, but none have successfully replaced ordinary text passwords, and the potential consequences of password problems grow as more information relating to work and life is stored online. This thesis explores practical approaches to helping users select, securely reuse, and manage passwords, and investigates questions about password alternatives. The attention is on the end user, and how authentication affects these users in their daily lives. Our focus is on practical, actionable results to assist end users in their daily tasks. The thesis begins by investigating issues of memorability with graphical passwords, and proposes the design of PassTiles, a new graphical password system that allows secure random memorable passwords to be easily assigned. This graphical password system is used to explore what type of memory retrieval best supports the memorability of graphical passwords, and the results show that cued-recall graphical passwords give an advantageous combination of memorability and usability. Password coping strategies are next explored through interviews with end users, and investigation into the techniques that users rely on to handle current password demands. Interviews with expert users were conducted to understand how their additional expertise helps them manage the same problems faced by end users. Grounded Theory analysis led to the emergence of a password life cycle model. A survey study suggested that the coping strategies discussed in the interviews are widespread. Finally, the thesis proposes the design of a password manager to support users’ existing coping strategies by protecting password reuse, and to securely protect users’ accounts with memorable assigned random graphical passwords.

M.A. Psychology (2011) Carleton University, Ottawa, ON, Canada

Thesis: Memorability of Assigned Random Graphical Passwords

When allowed to select their own passwords, users often choose easily guessed passwords. Assigning random passwords removes this threat, but assigned passwords can be difficult to remember. Graphical passwords are an alternative form of authentication that use images for login and leverage the picture superiority effect for good usability and memorability. This thesis examines the memorability of random assigned graphical passwords, and compares them to text passwords. It also examines how different kinds of memory retrieval (recall, cued-recall, and recognition) affect the memorability of graphical passwords. A study of five password systems showed that participants were able to remember both graphical and text passwords for the duration of the study, but it was difficult to assess the memorability of the passwords because many participants wrote their passwords down. The usability of the schemes varied, but in general, it took longer for participants to login using password schemes that more leveraged recognition memory.