Graphical Passwords and Practical Password Management

Text passwords pose a number of difficulties for end users, who must create, remember, and manage large numbers of passwords. Users are often regarded as the weak link in security systems, but they are a crucial component of the system, and need to be better considered in the design of security products. Many password alternatives have been proposed, but none have successfully replaced ordinary text passwords, and the potential consequences of password problems grow as more information relating to work and life is stored online. This thesis explores practical approaches to helping users select, securely reuse, and manage passwords, and investigates questions about password alternatives. The attention is on the end user, and how authentication affects these users in their daily lives. Our focus is on practical, actionable results to assist end users in their daily tasks. The thesis begins by investigating issues of memorability with graphical passwords, and proposes the design of PassTiles, a new graphical password system that allows secure random memorable passwords to be easily assigned. This graphical password system is used to explore what type of memory retrieval best supports the memorability of graphical passwords, and the results show that cued-recall graphical passwords give an advantageous combination of memorability and usability. Password coping strategies are next explored through interviews with end users, and investigation into the techniques that users rely on to handle current password demands. Interviews with expert users were conducted to understand how their additional expertise helps them manage the same problems faced by end users. Grounded Theory analysis led to the emergence of a password life cycle model. A survey study suggested that the coping strategies discussed in the interviews are widespread. Finally, the thesis proposes the design of a password manager to support users' existing coping strategies by protecting password reuse, and to securely protect users' accounts with memorable assigned random graphical passwords.