Published on Sep 05, 2023
The objective:
To determine whether there is a connection between the human factor in password composition/usage and the relative entropy of the password.
No tangible materials were used. However, the following web based software utilities were used to create webpages and store data: -cloud-based Linux web server including:
--PHP scripting language
--Limesurvey authoring application
-cloud-based Database server including MySQL database server I created a webpage for the purpose of collecting email addresses and passwords.
Participants were sent an email message requesting their participation in the project. The message included a link to the webpage which asked the participants to register using an email address and password.
Three weeks later, a second email message was sent to participants who registered in the first step. The message included a link to a second webpage incorporating a 5 question survey regarding the participant's password.
Passwords were collected from 281 initial participants and survey results were collected from 170 returning participants. With regard to strength of the 281 initial passwords, entropy values ranged from 0 to 82.72 bits. Average entropy was 36.69 bits.
Median entropy was 36.19 bits. 11% of all passwords consisted of 6 lowercase letters. Furthermore, 41% of all passwords consisted only of lowercase letters.
33% of all passwords consisted of lowercase letters and numbers. Only 1 of the 281 passwords consisted of the maximum sized character set, including uppercase letters, lowercase letters, numbers, and special characters.
With regard to frequency, there were only 9 instances of recurrence. With regard to "rememberability," 134 of 170 returning participants thought they remembered their passwords, but only 72 of those 134 actually remembered.
With regard to how people remembered their passwords, of the 170 returning participants, 16 wrote them down somewhere, 127 used the same password that they have used on other websites, 19 used passwords that they associated with this project, and 12 used some other mnemonic device.
With regard to relative password strength, most people did not estimate their password strength correctly. In relation to my hypothesis, I concluded that the initial set of passwords did exhibit low
The effects of human factors on "rememberability" and "guessability" (calculated entropy) of passwords.