A behavioral analysis of passphrase design and effectiveness

Mark Keith, Benjamin Shao, Paul Steinbart

Research output: Contribution to journalArticlepeer-review

66 Scopus citations


Although the use of multiple methods of user authentication for IT system increases security, passwords are often the only credential required for access. Consequently, the challenge is to discover ways to improve password strength without impairing usability. Longer pass "phrases" have received increased attention as a solution to this challenge because they are potentially more resistant to attacks yet are easy to remember. Recent evidence, however, suggests that passphrases increase the likelihood of typographical errors resulting in login failures and negative user perceptions. This paper presents experimental results that demonstrate well-designed passphrases do not increase login failures and, thereby, generate positive user perceptions. Implications are drawn to help IT managers develop effective IT security policies in utilizing passphrases to improve authentication and to assist researchers in identifying avenues for future research.

Original languageEnglish (US)
Pages (from-to)63-90
Number of pages28
JournalJournal of the Association for Information Systems
Issue number2
StatePublished - 2009


  • Authentication
  • Memory
  • Passphrases
  • Passwords
  • Security
  • Usability
  • User behavior

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications


Dive into the research topics of 'A behavioral analysis of passphrase design and effectiveness'. Together they form a unique fingerprint.

Cite this