Link: http://www.ieeexplore.ieee.org.ezproxy.lib.calpoly.edu:2048/stamp/stamp....
An empirical study to investigate the trade-off between secure passwords that are hard to remember and insecure passwords that are easy to remember is performed in this paper. The study gives different password selection advice to 3 groups, all of whom are natural science students at the University of Cambridge, and compares the effects. When the students are given their user accounts for the computing facility they are given the option to attend a introductory lesson. 288 of the 300 students who attended the lesson participated in the study.
The participants were randomly assigned into one of the three test groups, where they were each group was given different advice on how to select a good password password. The control group was given minimal advice, telling them the basic requirements for length and character types. The second group, called the random group, was told to close their eyes and pick 8 random letters from a page filled with a repeating pattern of the letters A-Z and the numbers 1-9, and to keep a written copy of the password until they memorized it. The third group was called the pass phrase group and was told to pick a mnemonic based password. One month after the lesson, performed an analysis of the passwords. They performed dictionary attacks, permutation attacks, user information attacks, and brute force attacks on all the passwords chosen by the participants. Four months after the lesson, they performed a survey of the participants asking about the difficulty they had remembering their password.
The Analysis confirmed a number of things and disproved a few others. It was able to confirm that random passwords are hard to remember and that mnemonic based pass phrases are harder to guess than naively selected ones. However, the study disproved that random passwords were stronger than mnemonic's and mnemonic's are harder to remember than naively selected one's. Lastly they were able to disprove that you can improve security by offering password advice since they had a non-compliance rate of around 10 percent. The study was performed well and seems to be valid and very useful.