The usability of passphrases for authentication: An empirical field study

Mark Keith, Benjamin Shao, Paul Steinbart

Research output: Contribution to journalArticlepeer-review

89 Scopus citations


In developing password policies, IT managers must strike a balance between security and memorability. Rules that improve structural integrity against attacks may also result in passwords that are difficult to remember. Recent technologies have relaxed the 8-character password constraint to permit the creation of longer pass-"phrases" consisting of multiple words. Longer passphrases are attractive because they can improve security by increasing the difficulty of brute-force attacks and they might also be easy to remember. Yet, no empirical evidence concerning the actual usability of passphrases exists. This paper presents the results of a 12-week experiment that examines users' experience and satisfaction with passphrases. Results indicate that passphrase users experienced a rate of unsuccessful logins due to memory recall failure similar to that of users of self-generated simple passwords and stringent passwords. However, passphrase users had more failed login attempts due to typographical errors than did users of either simple or highly secure passwords. Moreover, although the typographical errors disappeared over time, passphrase users' initial problems negatively affected their end-of-experiment perceptions.

Original languageEnglish (US)
Pages (from-to)17-28
Number of pages12
JournalInternational Journal of Human Computer Studies
Issue number1
StatePublished - Jan 2007


  • Authentication
  • Memory
  • Passphrases
  • Passwords
  • Security
  • Usability

ASJC Scopus subject areas

  • Software
  • Human Factors and Ergonomics
  • Education
  • Engineering(all)
  • Human-Computer Interaction
  • Hardware and Architecture


Dive into the research topics of 'The usability of passphrases for authentication: An empirical field study'. Together they form a unique fingerprint.

Cite this