Abstract or Summary:
Violations of published strictures on password use have led to widespread unauthorized access to computer systems. The problem may compound as inexpert users, handicapped by inadequate guidance and ignorance of computers, are increasingly involved on networked, supposedly “user-friendly” workstations. The literature on password methods reflects a technocentric focus emphasizing security without due regard for user comfort, i.e., a “user-hostile”, system perspective. We present a “user-friendly” model for the password selection and re-creation processes rooted in cognitive psychology. The model suggests two approaches to password selection — one rooted in a nomothetic, or particularized, the other in an idiographic, or generalized, treatment of experience — that exploit principles of recall, memory aids and simple formal transformations. A third approach, exploiting environmental cues — hence recognition rather than recall — is also considered. Intermediate approaches enable tradeoffs between password security and memorability appropriate to the context and cognitive style of the user. The reduction of the approaches to practice is illustrated in numerous examples. The approaches yield passwords more vulnerable to discovery than those envisioned in system-oriented theory, yet operationally superior to many prompted by strictures reflecting a technocentric system perspective. We recommend that guidance materials on password use be made available on systems.