Life-Experience Passwords (LEPs) - User Study

Welcome

Thank you for your information in our study! Your participation can help us learn more about how to create passwords that are both convenient and safe. This study has four phases. Participation in this first phase will reuqire less than an hour to complete. In this first phase, you will be asked to generate some passwords, and then later on, you will be asked to return to this website to see how well you can recall these passwords.

Information Sheet

You are invited to participate in a research study conducted by Professor Jelena Mirkovic and Simon Woo, at the University of Southern California. This webpage explains information about this study. You should ask questions about anything that is unclear to you (see Contact Information below).

This study examines the use of memorable experiences from a person's life for creation of unique, easy-to-remember, hard-to-guess passwords. You must be aged 18 or older to participate. Your participation is voluntary.

Study procedure

In the study you will pretend to create both ordinary (e.g., 8-character long) and life-experience passwords (LEPs) for six imaginary servers. At a later date you will be asked to return and authenticate by either supplying your ordinary password, or by answering questions about the LEPs you provided earlier. The study will be conducted in 4 separate sessions. All participation is via online access.

Ordinary Password Generation

You will be asked to generate an ordinary, 8-character long, password for three imaginary servers, in one sitting. This is anticipated to take no more than an hour to complete. In order to protect yourself, you should not create password for the study which you currently use.

LEP Generation

You will be asked to input information about a personal experience of your choice into our system, either in your own words or by answering questions posed by the system. We will use your input to extract facts about time, locations, people and activities in your experience. We will transform these facts into pairs of verification question and verification answer. We will use the verification questions to prompt you in the next stage of the study. The verification answers become your LEP. You will repeat this process three times, in the same sitting that is used for ordinary password generation.

Verification

One week, one month and three months after password generation we will e-mail you and ask you to return to the site and answer verification questions. This will help us measure memorability of passwords, both ordinary and LEPs.

Guessability

We will measure how easy it would be for an attacker to guess your ordinary password using dictionary attacks.

We will also measure how easy it would be for a stranger to guess your LEP by mining popular answers to your verification questions, and comparing them to your verification answers.

Potential Risks and Discomforts

There is minimal risk to you from feeling discomfort if you choose to use an unpleasant memory to create a LEP. You are asked not to choose any events which involve illegal behavior or information that could have negative consequences for you, for example, cheating, theft, etc.

Alternatives to Participation

Your alternative is not to participate in this study; if you are a USC student, your grades will not be affected, whether or not you participate in this study.

Confidentiality

The University of Southern California's Human Subjects Protection Program (HSPP) reviews and monitors research studies to protect the rights and welfare of research subjects. We will protect your privacy in the following way:
  1. You will be asked to input an e-mail address when you enter the study. This e-mail address will be converted to an index, using a one-way hash, and used to store all your input in our database. One-way hash function ensures that no one can extract your e-email address from the index. Thus your and other participants' identities will be anonymized at any time during the study.
  2. We will store all e-mail addresses during the study so we can send you reminder e-mails.
  3. Your e-mail address will be deleted after you complete the study.
  4. All your input will be stored encrypted, with the encryption key known only to our research staff. The input will be stored indefinitely. You have right to ask for this input to be removed by sending the e-mail.
The data stored on our server will remain there indefinitely. If you do not want the data used in future studies, you should not participate in this study.

You have a right at any time to request this data to be removed from our server by sending email to the Principal Investigator at mirkovic@isi.edu and providing the e-mail address you used to sign up for the study.

When the results of the research are published or discussed in conferences, no identifiable information will be used. We will list our publications and publications of any researchers who use this data at our project page: http://steel.isi.edu/Projects/LEP.

Potential Benefits to Participants and/or to Society

You may not directly benefit from your participation in this study; however you may also learn how strong are your passwords (both ordinary and LEPs) against common password-cracking tools. Researchers hope this new, promising approach that can greatly improve existing user authentication systems.

Participation and Withdrawal

Your participation is voluntary. Your refusal to participate will involve no penalty or loss of benefits to which you are otherwise entitled. You may withdraw your participation at any time and discontinue without penalty. You are not waiving any legal claims, rights or remedies because of your participation in this research study.

Investigator's Contact Information

If you have any questions or concerns about the research, please feel free to contact the Principal Investigator Professor Jelena Mirkovic at: mirkovic@isi.edu or telephone: 310-448-9170.

USC Information Sciences Institute
4676 Admiralty Way, Suite 1001
Marina del Rey, CA 90292
310-448-9170
or via mirkovic@isi.edu.

IRB Contact Information

If you have questions, concerns, or complaints about your rights as a research participant you may contact the IRB directly at the information provided below. If you have questions about the research and are unable to contact the research team, or if you want to talk to someone independent of the research team, please contact the:

University Park Institutional Review Board (UPIRB)
3720 South Flower Street #301
Los Angeles, CA 90089-0702
(213) 821-5272
or upirb@usc.edu.



Please click HERE to enter LEPs Usability Study.