User-Centric Adaptive Password Policies to Combat Password Fatigue
Yaqoob Al-Slais and Wael El-Medany
College of Information Technology, University of Bahrain, Kingdom of Bahrain
Abstract: Today, online users will have an average of 25 password-protected accounts online, yet use, on average, 6.5 passwords. The excessive cognitive burden of remembering large amounts of passwords causes Password Fatigue. Therefore users tend to reuse passwords or recycle password patterns whenever prompted to change their passwords regularly. Researchers have created Adaptive Password Policies to prevent users from creating new passwords similar to previously created ones. However, this approach creates user frustration as it neglects users’ cognitive burden. This paper proposes a novel User-Centric Adaptive Password Policy (UCAPP) Framework for password creation and management that assigns users system-generated passwords based on a cognitive-behavioural agent-based model. The framework comprises a Password Policy Assignment Test (PassPAST), a Cognitive Burden Scale (CBS), a User Profiling Algorithm, and a Password Generator (PassGEN). The framework creates tailor-made password policies that maintain password memorability for users of different cognitive thresholds without sacrificing password strength and entropy. The framework successfully created 30-40% stronger passwords for Critical users and random (non-mnemonic) passwords for Typical users based on each individual’s cognitive password thresholds in a preliminary test.
Keywords: Cognitive burden, cybersecurity, human factors, adaptive password policy, password fatigue.
Received January 1, 2020; accepted February 15, 2021