Even for users of password managers, primary passwords are a common root of trust; these must be secure against offline attacks. Randomly generated passwords provide strength guarantees but are less memorable. Cognitive psychology studies have found that providing a choice aids recall, however no studies have investigated the impact of choice on password recall in isolation. To address this, we conducted a longitudinal user study (N=861 at initial follow-up) where users selected and memorized a password from a list of 1, 8, 32, or 128 random passwords. The users entered their password multiple times after selection to improve memory, and we followed up 7 and 28 days later. We found no evidence that selecting from a list improved memorability, which suggests designers and researchers should explore other avenues. Finally, we identify potential directions for new interfaces that help users generate random passwords that will be easier to use.
https://dl.acm.org/doi/10.1145/3706598.3714043
The ACM CHI Conference on Human Factors in Computing Systems (https://chi2025.acm.org/)