Studying how people create passwords (SemTrAC)



The study focuses on analyzing password re-use, extracting password patterns, analyzing password complexity, their similarities, and variations across users or the same user as per web site category/importance. The target population is general population of users of any web site.

The study will focus on analyzing password re-use, extracting password patterns, analyzing password complexity, their similarities, and variations for the same user as per website category/importance. We plan to analyze human behavior/approach in creating passwords used in real-life, password re-use and their associated complexities as per website importance (which may be subjective). We also plan to analyze password complexities and their memorability across users as per website importance.

Relevant Work & Problem Statement:

A large-scale study conducted by Microsoft analyzed password re-use across websites and the number of online accounts users maintain. This study was done in 2006 and found that an average user has 25 online accounts. By now the number must have increased and our study will contribute to finding the new average.

A recent study analyzed semantic variations of passwords transformed from leaked password sets. They found many similarities among users but we want to study password similarities within many accounts of the same user.

Another study conducted at Carnegie Mellon University has analyzed the participant's opinion and approach for creating new passwords on random/fictitious websites based on their respective category (banking website, social networking website, email provider, forum, blog, etc.) in a controlled environment. This study asked participants to create passwords for three fictitious web sites and to narrate their choice. But, since the sites were fictitious, user motivations when they created these passwords were likely not the same as when they create real passwords. First, user perception of risk is smaller for a fictitious bank site than for a real one. Second, user need to remember a password is non-existent for a fictitious site, while it may be large for a real site.

Much prior research has also found that passwords are not secure (they are easily cracked) and many people forget their passwords. There is a trade-off between memorability and security of passwords (more complex passwords are more secure but less memorable). We believe that the best way to study how people create passwords, and which factors influence this security/memorability trade-off is to study real passwords users have at multiple sites. We want to study how people reason about security and memorability of passwords, and how their perception of risk and their perception of importance of the given site interact with this reasoning.

Study Procedure


The University of Southern California's Human Subjects Protection Program (HSPP) reviews and monitors research studies to protect the rights and welfare of research subjects. We will protect your privacy in the following way:
  1. Florencio, Dinei, and Cormac Herley. "A large-scale study of web password habits." Proceedings of the 16th international conference on World Wide Web. ACM, 2007.
  2. Veras, Rafael, Christopher Collins, and Julie Thorpe. "On Semantic Patterns of Passwords and their Security Impact." NDSS. 2014.
  3. Ur, Blase, et al. "" I Added'!'at the End to Make It Secure": Observing Password Creation in the Lab." Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 2015.
  4. Egelman, Serge, and Eyal Peer. "Scaling the security wall: Developing a security behavior intentions scale (sebis)." Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2015.
  5. Creese, Sadie, et al. "Relationships between password choices, perceptions of risk and security expertise." International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer Berlin Heidelberg, 2013.