Modeling Aggregate Security with User Agents that Employ Password Memorization Techniques


Christopher Novak, Department of Computer Science, Dartmouth College; Jim Blythe, Information Sciences Institute, University of Southern California; Ross Koppel, Department of Sociology, University of Pennsylvania; Vijay Kothari and Sean Smith, Department of Computer Science, Dartmouth College


We discuss our ongoing work with an agent-based password simulation which models how site-enforced password requirements affect aggregate security when people interact with multiple authentication systems. We model two password memorization techniques: passphrase generation and spaced repetition. Our simulation suggests system-generated passphrases lead to lower aggregate security across services that enforce even moderate password requirements. Furthermore, allowing users to expand their password length over time via spaced repetition increases aggregate security.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {205710,
title = {Modeling Aggregate Security with User Agents that Employ Password Memorization Techniques},
booktitle = {Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017)},
year = {2017},
address = {Santa Clara, CA},
url = {},
publisher = {{USENIX} Association},