{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,30]],"date-time":"2026-03-30T10:32:51Z","timestamp":1774866771949,"version":"3.50.1"},"reference-count":37,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2019,7,8]],"date-time":"2019-07-08T00:00:00Z","timestamp":1562544000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,7,8]]},"abstract":"Purpose<\/jats:title>Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remains the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to present a taxonomy of those password creation strategies in the form of a model describing various strategies used to create passwords.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The study was conducted in a three-step process beginning with a short survey among forensic experts within the Swedish police. The model was then developed by a series of iterative semi-structured interviews with forensic experts. In the third and final step, the model was validated on 5,000 passwords gathered from 50 different password databases that have leaked to the internet.<\/jats:p><\/jats:sec>Findings<\/jats:title>The result of this study is a taxonomy of password creation strategies presented as a model that describes the strategies as properties that a password can hold. Any given password can be classified as holding one or more of the properties outlined in the model.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>On an abstract level, this study provides insight into password creation strategies. As such, the model can be used as a tool for research and education. It can also be used by practitioners in, for instance, penetration testing to map the most used password creation strategies in a domain or by forensic experts when designing dictionary attacks.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-06-2018-0077","type":"journal-article","created":{"date-parts":[[2019,6,11]],"date-time":"2019-06-11T09:13:30Z","timestamp":1560244410000},"page":"453-467","source":"Crossref","is-referenced-by-count":8,"title":["Understanding passwords \u2013 a taxonomy of password creation strategies"],"prefix":"10.1108","volume":"27","author":[{"given":"Joakim","family":"K\u00e4vrestad","sequence":"first","affiliation":[]},{"given":"Fredrik","family":"Eriksson","sequence":"additional","affiliation":[]},{"given":"Marcus","family":"Nohlberg","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020052710224377900_ref001","first-page":"1","article-title":"Challenges to digital forensics: a survey of researchers and practitioners attitudes and opinions","volume-title":"Information Security for South Africa","year":"2013"},{"key":"key2020052710224377900_ref002","first-page":"71","article-title":"Game geek\u2019s goss: linguistic creativity in young males within an online university forum (94\/\/3 933k\u20195 9055oneone)","volume":"3","year":"2005","journal-title":"Australian Journal of Emerging Technologies and Society"},{"key":"key2020052710224377900_ref003","volume-title":"Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet","year":"2011"},{"key":"key2020052710224377900_ref004","first-page":"23","volume-title":"The Tangled Web of Password Reuse","year":"2014"},{"key":"key2020052710224377900_ref005","first-page":"1","article-title":"Penetration testing: concepts, attack methods, and defense strategies. Systems, applications and technology conference (LISAT)","volume-title":"2016 IEEE Long Island, 2016","year":"2016"},{"key":"key2020052710224377900_ref006","doi-asserted-by":"crossref","first-page":"657","DOI":"10.1145\/1242572.1242661","article-title":"A large-scale study of web password habits","volume-title":"Proceedings of the 16th international conference on World Wide Web","year":"2007"},{"key":"key2020052710224377900_ref007","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1109\/MDAT.2018.2862366","article-title":"Advances in forensic data acquisition","volume":"35","year":"2018","journal-title":"IEEE Design and Test"},{"key":"key2020052710224377900_ref008","first-page":"631","article-title":"1997 Signature based password authentication method. Systems, man, and cybernetics, 1997 computational cybernetics and simulation","volume-title":"1997 IEEE International Conference on","year":"1997"},{"key":"key2020052710224377900_ref009","first-page":"67","article-title":"Organisational security culture: embedding security awareness, education and training","year":"2005"},{"key":"key2020052710224377900_ref010","doi-asserted-by":"crossref","first-page":"S64","DOI":"10.1016\/j.diin.2010.05.009","article-title":"Digital forensics research: the next 10 years","volume":"7","year":"2010","journal-title":"Digital Investigation"},{"key":"key2020052710224377900_ref011","doi-asserted-by":"crossref","first-page":"1230","DOI":"10.1145\/2976749.2978416","article-title":"On the security of cracking-resistant password vaults","volume-title":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","year":"2016"},{"key":"key2020052710224377900_ref012","first-page":"285","volume-title":"Using Personal Information in Targeted Grammar-Based Probabilistic Password Attacks","year":"2017"},{"issue":"4","key":"key2020052710224377900_ref013","doi-asserted-by":"crossref","first-page":"885","DOI":"10.1111\/1556-4029.12809","article-title":"Taxonomy of challenges for digital forensics","volume":"60","year":"2015","journal-title":"Journal of Forensic Sciences"},{"key":"key2020052710224377900_ref014","volume-title":"Guide to Digital Forensics: A Concise and Practical Introduction","year":"2017"},{"key":"key2020052710224377900_ref015","article-title":"Modeling the adversary to evaluate password strength with limited samples","year":"2016"},{"key":"key2020052710224377900_ref016","first-page":"67","article-title":"Human selection of mnemonic phrase-based passwords","year":"2006"},{"key":"key2020052710224377900_ref017","first-page":"158","article-title":"Dictionary attack on wordpress: Security and forensic analysis","volume-title":"Information Security and Cyber Forensics (InfoSec), 2015 Second International Conference on, 2015","year":"2015"},{"key":"key2020052710224377900_ref018","volume-title":"Naturalistic Inquiry","year":"1985"},{"issue":"11","key":"key2020052710224377900_ref019","doi-asserted-by":"crossref","first-page":"594","DOI":"10.1145\/359168.359172","article-title":"Password security: a case history","volume":"22","year":"1979","journal-title":"Communications of the Acm"},{"key":"key2020052710224377900_ref020","doi-asserted-by":"crossref","first-page":"364","DOI":"10.1145\/1102120.1102168","article-title":"Fast dictionary attacks on passwords using time-space tradeoff","volume-title":"Proceedings of the 12th ACM conference on Computer and communications security","year":"2005"},{"key":"key2020052710224377900_ref021","first-page":"189","article-title":"Improving usability of passphrase authentication. Privacy, security and trust (PST)","volume-title":"2014 Twelfth Annual International Conference on, 2014","year":"2014"},{"key":"key2020052710224377900_ref022","volume-title":"Security in Computing","year":"2015","edition":"5th ed."},{"key":"key2020052710224377900_ref023","first-page":"1","article-title":"Information security culture: a general living systems theory perspective","volume-title":"Information Security for South Africa (ISSA), 2014","year":"2014"},{"key":"key2020052710224377900_ref024","volume-title":"Real World Research: A Resource for Users of Social Research Methods in Applied Settings","year":"2011","edition":"3rd ed"},{"issue":"3","key":"key2020052710224377900_ref025","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1017\/S0266078406003063","article-title":"Writing in the information age","volume":"22","year":"2006","journal-title":"English Today"},{"key":"key2020052710224377900_ref026","article-title":"Password contruction guidelines","author":"Sans","year":"2017"},{"key":"key2020052710224377900_ref027","volume-title":"The Characteristics of User-Generated Passwords","year":"1990"},{"key":"key2020052710224377900_ref028","first-page":"1","article-title":"Ethics in security research which lines should not be crossed?","volume-title":"Security and Privacy workshops (SPW), 2013, IEEE","year":"2013"},{"key":"key2020052710224377900_ref029","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1016\/j.cose.2016.05.007","article-title":"User practice in password security: an empirical study of real-life passwords in the wild","volume":"61","year":"2016","journal-title":"Computers and Security"},{"key":"key2020052710224377900_ref030","article-title":"The password life cycle: user behaviour in managing passwords","volume-title":"Proc. Symposium On Usable Privacy and Security (SOUPS)","year":"2014"},{"issue":"8","key":"key2020052710224377900_ref031","doi-asserted-by":"crossref","first-page":"1656","DOI":"10.1109\/TIFS.2015.2422259","article-title":"Cracking more password hashes with patterns","volume":"10","year":"2015","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"key2020052710224377900_ref032","article-title":"Added \u2018!\u2019at the end to make it secure\u201d: observing password creation in the lab","volume-title":"Proc. Symposium On Usable Privacy and Security (SOUPS)","year":"2015"},{"issue":"2","key":"key2020052710224377900_ref033","doi-asserted-by":"crossref","first-page":"183","DOI":"10.1080\/15614263.2015.1128163","article-title":"Challenges in digital forensics","volume":"17","year":"2016","journal-title":"Police Practice and Research"},{"key":"key2020052710224377900_ref034","doi-asserted-by":"crossref","first-page":"196","DOI":"10.1145\/3176258.3176332","article-title":"The next domino to fall: empirical analysis of user passwords across online services","volume-title":"Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy","year":"2018"},{"key":"key2020052710224377900_ref035","first-page":"157","article-title":"Zxcvbn: low-budget password strength estimation","volume-title":"USENIX Security Symposium","year":"2016"},{"key":"key2020052710224377900_ref036","volume-title":"Passwords Security: An Exploratory Study","year":"1990"},{"issue":"3","key":"key2020052710224377900_ref037","doi-asserted-by":"crossref","first-page":"227","DOI":"10.1093\/comjnl\/36.3.227","article-title":"A comparison of password techniques for multilevel authentication mechanisms","volume":"36","year":"1993","journal-title":"The Computer Journal"}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2018-0077\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2018-0077\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:59Z","timestamp":1753406579000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/27\/3\/453-467\/106069"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,8]]},"references-count":37,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,7,8]]}},"alternative-id":["10.1108\/ICS-06-2018-0077"],"URL":"https:\/\/doi.org\/10.1108\/ics-06-2018-0077","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2019,7,8]]}}}