Passwords are used to protect all sorts of data and are a critical part of daily life, but password creation requirements can vary widely. The National Institute of Standards and Technology (NIST) identified that usability and human factors elements are key elements of cyber security, and the agency wanted to investigate the password generation process to develop a better understanding of the impact of password creation requirements on usability. NIST contracted FMG to help understand and quantify the cognitive processes and strategies used during password generation, with the aim of finding an optimal password length, complexity, and phrasing that balances both security and usability requirements.
FMG facilitated the development of cross-platform data collection programs and the collection of usability data with mobile device users. Our researchers worked with NIST staff to create the test protocol and conducted in-lab tests, during which participants were asked to memorize and enter passwords of various lengths and compositions. Observational data, participant self-reports, and success metrics were collected to investigate the implications of different password characteristics and performance and the difficulty of use.
These empirical data on memory, character, string, and password usage informed usability considerations for password policy in support of NIST’s ultimate work to inform and influence usability standards of password policy in government and industry.