{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T20:46:54Z","timestamp":1759092414608,"version":"3.41.2"},"reference-count":82,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2020,6,23]],"date-time":"2020-06-23T00:00:00Z","timestamp":1592870400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2020,6,23]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Using authentication to secure data and accounts has grown to be a natural part of computing. Even if several authentication methods are in existence, using passwords remain the most common type of authentication. As long and complex passwords are encouraged by research studies and practitioners alike, computer users design passwords using strategies that enable them to remember their passwords. This paper aims to find strategies that allow for the generation of passwords that are both memorable and computationally secure.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The study began with a literature review that was used to identify cognitive password creation strategies that facilitate the creation of passwords that are easy to remember. Using an action-based approach, attack models were created for the resulting creation strategies. The attack models were then used to calculate the entropy for passwords created with different strategies and related to a theoretical cracking time.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The result of this study suggests that using phrases with four or more words as passwords will generate passwords that are easy to remember and hard to attack.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper considers passwords from a socio-technical approach and provides insight into how passwords that are easy to remember and hard to crack can be generated. The results can be directly used to create password guidelines and training material that enables users to create usable and secure passwords.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-07-2019-0077","type":"journal-article","created":{"date-parts":[[2020,6,22]],"date-time":"2020-06-22T10:30:25Z","timestamp":1592821825000},"page":"701-717","source":"Crossref","is-referenced-by-count":11,"title":["Constructing secure and memorable passwords"],"prefix":"10.1108","volume":"28","author":[{"given":"Joakim","family":"K\u00e4vrestad","sequence":"first","affiliation":[]},{"given":"Markus","family":"Lennartsson","sequence":"additional","affiliation":[]},{"given":"Marcus","family":"Birath","sequence":"additional","affiliation":[]},{"given":"Marcus","family":"Nohlberg","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020110313134966500_ref001","unstructured":"Apple (2020), \u201cSecurity and your Apple ID\u201d, available at: https:\/\/support.apple.com\/en-us\/HT201303 (accessed 12 September 2019)."},{"article-title":"Evaluating the usability of system-generated and user-generated passwords of approximately equal security","volume-title":"Human Aspects of Information Security, Privacy, and Trust. HAS 2013. Lecture Notes in Computer Science","year":"2013","key":"key2020110313134966500_ref002"},{"article-title":"Improving security and usability of passphrases with guided word choice","volume-title":"Proceedings of the 34th Annual Computer Security Applications Conference","year":"2018","key":"key2020110313134966500_ref003"},{"key":"key2020110313134966500_ref004","first-page":"153","article-title":"The average word length dynamics as an indicator of cultural changes in society","volume":"14","year":"2015","journal-title":"Social Evolution and History"},{"issue":"2","key":"key2020110313134966500_ref005","doi-asserted-by":"crossref","first-page":"77","DOI":"10.1191\/1478088706qp063oa","article-title":"Using thematic analysis in psychology","volume":"3","year":"2006","journal-title":"Qualitative Research in Psychology"},{"issue":"4","key":"key2020110313134966500_ref006","doi-asserted-by":"crossref","first-page":"571","DOI":"10.1016\/j.jss.2006.07.009","article-title":"Lessons from applying the systematic literature review process within the software engineering domain","volume":"80","year":"2007","journal-title":"Journal of Systems and Software"},{"key":"key2020110313134966500_ref007","doi-asserted-by":"crossref","first-page":"44","DOI":"10.1016\/j.ijhcs.2019.01.004","article-title":"Security analysis of game-changer password system","volume":"126","year":"2019","journal-title":"International Journal of Human-Computer Studies"},{"issue":"1","key":"key2020110313134966500_ref008","article-title":"User behaviors associated with password security and management","volume":"14","year":"2006","journal-title":"Australasian Journal of Information Systems"},{"key":"key2020110313134966500_ref009","first-page":"1116","article-title":"How many words do we know? Practical estimates of vocabulary size dependent on word definition, the degree of language input and the participant\u2019s age","volume":"7","year":"2016","journal-title":"Frontiers in Psychology"},{"issue":"5","key":"key2020110313134966500_ref010","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1201\/1079.07366981\/46352.34.5.20061101\/95107.ARTICLE.1","article-title":"Password security: an empirical investigation into e-commerce passwords and their crack times","volume":"34","year":"2006","journal-title":"EDPACS"},{"key":"key2020110313134966500_ref011","first-page":"387","article-title":"Password cracking based on special keyboard patterns","volume":"8","year":"2012","journal-title":"International Journal of Innovative Computing, Information and Control"},{"article-title":"The tangled web of password reuse","volume-title":"2014 Network and Distributed System Security (NDSS) Symposium","year":"2014","key":"key2020110313134966500_ref012"},{"article-title":"Why johnny doesn\u2019t use two factors a two-phase usability study of the fido u2f security key","volume-title":"Proceedings of the International Conference on Financial Cryptography and Data Security, 2018","year":"2018","key":"key2020110313134966500_ref013"},{"issue":"1\/2","key":"key2020110313134966500_ref014","first-page":"128","article-title":"Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems","volume":"63","year":"2005","journal-title":"International Journal of Human-Computer Studies"},{"issue":"6","key":"key2020110313134966500_ref015","doi-asserted-by":"crossref","first-page":"415","DOI":"10.1016\/j.ijhcs.2012.02.008","article-title":"Rational security: modeling everyday password use","volume":"70","year":"2012","journal-title":"International Journal of Human-Computer Studies"},{"volume-title":"NIST Special Publication 800-63b: Digital Identity Guidelines","year":"2017","key":"key2020110313134966500_ref016"},{"key":"key2020110313134966500_ref017","first-page":"160","article-title":"I can\u2019t type that! P@$$w0rd entry on mobile devices","volume-title":"In International Conference on Human Aspects of Information Security, Privacy, and Trust","year":"2014"},{"article-title":"Leveraging semantic transformation to investigate password habits and their causes","volume-title":"Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems","year":"2018","key":"key2020110313134966500_ref018"},{"key":"key2020110313134966500_ref019","unstructured":"Haveibeenpawned.Com (2018), \u201cExploit. in\u201d, available at: https:\/\/haveibeenpwned.com\/ (accessed 12 September 2019)."},{"key":"key2020110313134966500_ref020","first-page":"217","article-title":"PassGAN: a deep learning approach for password guessing","volume-title":"International Conference on Applied Cryptography and Network Security","year":"2019"},{"key":"key2020110313134966500_ref021","first-page":"459","article-title":"Password authentication from a human factors perspective: results of a survey among end-users","volume-title":"Proceedings of the Human Factors and Ergonomics Society Annual Meeting","year":"2009"},{"key":"key2020110313134966500_ref022","first-page":"285","article-title":"Using personal information in targeted grammar-based probabilistic password attacks","volume-title":"IFIP International Conference on Digital Forensics","year":"2017"},{"article-title":"Surpass: system-initiated user-replaceable passwords","volume-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","year":"2015","key":"key2020110313134966500_ref023"},{"article-title":"The true cost of unusable password policies: password use in the wild","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2010","key":"key2020110313134966500_ref024"},{"volume-title":"Doing Your Literature Review: Traditional and Systematic Techniques","year":"2011","key":"key2020110313134966500_ref025"},{"article-title":"Have the cake and eat it too \u2013 infusing usability into text-password based authentication systems","volume-title":"21st Annual Computer Security Applications Conference (ACSAC\u201905)","year":"2005","key":"key2020110313134966500_ref026"},{"article-title":"Reinforcing system-assigned passphrases through implicit learning","volume-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security","year":"2018","key":"key2020110313134966500_ref027"},{"article-title":"Using System-Generated mnemonics to improve the usability and security of password authentication","volume-title":"Proceedings of the Human Factors and Ergonomics Society Annual Meeting","year":"2012","key":"key2020110313134966500_ref028"},{"volume-title":"Fundamentals of Digital Forensics: Theory, Methods, and Real-Life Applications","year":"2018","key":"key2020110313134966500_ref029"},{"issue":"3","key":"key2020110313134966500_ref030","article-title":"Understanding passwords \u2013 a taxonomy of password creation strategies","volume":"27","year":"2019","journal-title":"Information and Computer Security"},{"issue":"2","key":"key2020110313134966500_ref031","doi-asserted-by":"crossref","first-page":"63","DOI":"10.17705\/1jais.00184","article-title":"A behavioral analysis of passphrase design and effectiveness","volume":"10","year":"2009","journal-title":"Journal of the Association for Information Systems"},{"issue":"1","key":"key2020110313134966500_ref032","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1016\/j.ijhcs.2006.08.005","article-title":"The usability of passphrases for authentication: an empirical field study","volume":"65","year":"2007","journal-title":"International Journal of Human-Computer Studies"},{"volume-title":"Procedures for Performing Systematic Reviews","year":"2004","key":"key2020110313134966500_ref033"},{"year":"2015","key":"key2020110313134966500_ref034","article-title":"How to do a structured literature review in computer science"},{"article-title":"Of passwords and people: measuring the effect of password-composition policies","volume-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems","year":"2011","key":"key2020110313134966500_ref035"},{"article-title":"Human selection of mnemonic phrase-based passwords","volume-title":"Proceedings of the second symposium on Usable privacy and security","year":"2006","key":"key2020110313134966500_ref036"},{"volume-title":"Exploring the Usability of Pronounceable Passwords","year":"2014","key":"key2020110313134966500_ref037"},{"issue":"2","key":"key2020110313134966500_ref038","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1093\/applin\/19.2.255","article-title":"The development of passive and active vocabulary in a second language: same or different?","volume":"19","year":"1998","journal-title":"Applied Linguistics"},{"article-title":"Investigating the distribution of password choices","volume-title":"Proceedings of the 21st international conference on World Wide Web","year":"2012","key":"key2020110313134966500_ref039"},{"key":"key2020110313134966500_ref040","unstructured":"Marquardson, J. (2012), \u201cPassword policy effects on entropy and recall\u201d, working paper."},{"article-title":"Usability and security of text passwords on mobile devices","volume-title":"Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems","year":"2016","key":"key2020110313134966500_ref041"},{"key":"key2020110313134966500_ref042","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1044\/cicsd_33_S_21","article-title":"Selecting studies for systematic review: inclusion and exclusion criteria","volume":"33","year":"2006","journal-title":"Contemporary Issues in Communication Science and Disorders"},{"key":"key2020110313134966500_ref043","unstructured":"Microsoft (2019), \u201cPassword policy recommendations for office 365\u201d, available at: https:\/\/docs.microsoft.com\/en-us\/office365\/admin\/misc\/password-policy-recommendations?view=o365-worldwide (accessed 12 September 2019)."},{"issue":"4","key":"key2020110313134966500_ref044","doi-asserted-by":"crossref","first-page":"705","DOI":"10.1016\/j.chb.2010.01.007","article-title":"Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords","volume":"26","year":"2010","journal-title":"Computers in Human Behavior"},{"key":"key2020110313134966500_ref045","article-title":"Effects of a mnemonic technique on subsequent recall of assigned and self-generated passwords","volume":"1","year":"2009","journal-title":"Human Interface and the Management of Information: Designing Information Environments"},{"article-title":"An analysis of persuasive text passwords","volume-title":"2nd National Foundation for Science and Technology Development Conference on Information and Computer Science","year":"2015","key":"key2020110313134966500_ref046"},{"article-title":"Improving the usability of passphrase authentication","volume-title":"Twelfth Annual International Conference on Privacy, Security and Trust (PST)","year":"2014","key":"key2020110313134966500_ref047"},{"article-title":"Improving the usability of passphrase authentication","volume-title":"Twelfth Annual International Conference on Privacy, Security and Trust","year":"2014","key":"key2020110313134966500_ref048"},{"key":"key2020110313134966500_ref049","unstructured":"OWASP (2019), \u201cAuthentication_cheat_sheet.md\u201d, available at: https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Authentication_Cheat_Sheet.md (accessed 12 September 2019)."},{"key":"key2020110313134966500_ref050","unstructured":"Oxford English Dictionary (2019), \u201cAbout\u201d, available at: https:\/\/public.oed.com\/about\/ (accessed 12 September 2019)."},{"article-title":"Let\u2019s go in for a closer look: observing passwords in their natural habitat","volume-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","year":"2017","key":"key2020110313134966500_ref051"},{"edition":"5th ed.","volume-title":"Security in Computing","year":"2015","key":"key2020110313134966500_ref052"},{"issue":"12","key":"key2020110313134966500_ref053","article-title":"Passwords usage and human memory limitations: a survey across age and educational background","volume":"7","year":"2012","journal-title":"PLoS One"},{"article-title":"Effect of grammar on the security of long passwords","volume-title":"Proceedings of the third ACM conference on Data and application security and privacy","year":"2013","key":"key2020110313134966500_ref054"},{"article-title":"Password creation strategies across high- and low-literacy web users","volume-title":"Proceedings of the 78th ASIS&T Annual Meeting: Information Science with Impact: Research in and for the Community","year":"2015","key":"key2020110313134966500_ref055"},{"article-title":"A spoonful of sugar? The impact of guidance and feedback on password-creation behavior","volume-title":"Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems","year":"2015","key":"key2020110313134966500_ref056"},{"article-title":"Correct horse battery staple: exploring the usability of system-assigned passphrases","volume-title":"Proceedings of the eighth symposium on usable privacy and security","year":"2012","key":"key2020110313134966500_ref057"},{"article-title":"Can long passwords be secure and usable?","volume-title":"Proceedings of the SIGCHI conference on human factors in computing systems","year":"2014","key":"key2020110313134966500_ref058"},{"issue":"4","key":"key2020110313134966500_ref059","article-title":"Designing password policies for strength and usability","volume":"18","year":"2016","journal-title":"ACM Transactions on Information and System Security ( Security"},{"article-title":"Encountering stronger password requirements: user attitudes and behaviors","volume-title":"Proceedings of the Sixth Symposium on Usable Privacy and Security","year":"2010","key":"key2020110313134966500_ref060"},{"key":"key2020110313134966500_ref061","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1016\/j.cose.2016.05.007","article-title":"User practice in password security: an empirical study of real-life passwords in the wild","volume":"61","year":"2016","journal-title":"Computers and Security"},{"year":"2012","key":"key2020110313134966500_ref062","article-title":"Distinct word length frequencies: distributions and symbol entropies"},{"article-title":"The password life cycle: user behavior in managing passwords","volume-title":"10th Symposium On Usable Privacy and Security","year":"2014","key":"key2020110313134966500_ref063"},{"article-title":"On password strength measurements: password entropy and password quality","volume-title":"CCEEE 2013: International Conference on Computing, Electrical and Electronic Engineering","year":"2013","key":"key2020110313134966500_ref064"},{"article-title":"Do users\u2019 perceptions of password security match reality?","volume-title":"Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems","year":"2016","key":"key2020110313134966500_ref065"},{"article-title":"I added \u2018!\u2019at the end to make it secure\u201d: observing password creation in the lab","volume-title":"Eleventh Symposium On Usable Privacy and Security","year":"2015","key":"key2020110313134966500_ref066"},{"article-title":"Visualizing semantics in passwords: the role of dates","volume-title":"Proceedings of the Ninth International Symposium on Visualization for Cyber Security","year":"2012","key":"key2020110313134966500_ref067"},{"article-title":"Short-and long-term retention of passwords generated by first-letter and entire-word mnemonic methods","volume-title":"Proceedings of the 5th Annual Security Conference","year":"2006","key":"key2020110313134966500_ref068"},{"issue":"8","key":"key2020110313134966500_ref069","doi-asserted-by":"crossref","first-page":"744","DOI":"10.1016\/j.ijhcs.2007.03.007","article-title":"Improving password security and memorability to protect personal and organizational information","volume":"65","year":"2007","journal-title":"International Journal of Human-Computer Studies"},{"article-title":"Usability and security go together: a case study on database","volume-title":"Second International Conference on Recent Trends and Challenges in Computational Models (ICRTCCM)","year":"2017","key":"key2020110313134966500_ref070"},{"article-title":"Testing metrics for password creation policies by attacking large sets of revealed passwords","volume-title":"Proceedings of the 17th ACM conference on Computer and communications security","year":"2010","key":"key2020110313134966500_ref071"},{"article-title":"Pretty good persuasion: the first step towards effective password security in the real world","volume-title":"Proceedings of the 2001 workshop on New security paradigms","year":"2001","key":"key2020110313134966500_ref072"},{"article-title":"PassShapes: utilizing stroke-based authentication to increase password memorability","volume-title":"Proceedings of the 5th Nordic conference on Human-computer interaction: building bridges","year":"2008","key":"key2020110313134966500_ref073"},{"article-title":"Why Johnny can\u2019t encrypt: a usability evaluation of PGP 5.0","volume-title":"USENIX Security Symposium","year":"1999","key":"key2020110313134966500_ref074"},{"article-title":"Guidelines for snowballing in systematic literature studies and a replication in software engineering","volume-title":"Proceedings of the 18th international conference on evaluation and assessment in software engineering","year":"2014","key":"key2020110313134966500_ref075"},{"issue":"1","key":"key2020110313134966500_ref076","doi-asserted-by":"crossref","first-page":"45","DOI":"10.1057\/ejis.2011.51","article-title":"Using grounded theory as a method for rigorously reviewing literature","volume":"22","year":"2013","journal-title":"European Journal of Information Systems"},{"key":"key2020110313134966500_ref077","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.ijhcs.2017.11.002","article-title":"Too many passwords? how understanding our memory can increase password memorability","volume":"111","year":"2018","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2020110313134966500_ref078","unstructured":"Yahoo (2020), \u201cPassword tips\u201d, available at: https:\/\/safety.yahoo.com\/Security\/STRONG-PASSWORD.html (accessed 12 September 2019)."},{"article-title":"PapiaPass: sentence-based passwords using dependency trees","volume-title":"13th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC)","year":"2016","key":"key2020110313134966500_ref079"},{"article-title":"An empirical study of mnemonic sentence-based password generation strategies","volume-title":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","year":"2016","key":"key2020110313134966500_ref080"},{"issue":"2","key":"key2020110313134966500_ref081","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1057\/ejis.2009.9","article-title":"Improving multiple-password recall: an empirical study","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"volume-title":"Password Security: An Exploratory Study","year":"1990","key":"key2020110313134966500_ref082"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2019-0077\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-07-2019-0077\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:03Z","timestamp":1753406583000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/5\/701-717\/110948"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,23]]},"references-count":82,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2020,6,23]]}},"alternative-id":["10.1108\/ICS-07-2019-0077"],"URL":"https:\/\/doi.org\/10.1108\/ics-07-2019-0077","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2020,6,23]]}}}