Passwords are not hard to remember because they are long, rather human memory forgets them selectively. But how? Our work with Janne Lindqvist’s’ lab at Rutgers presented a new predictive model for which passwords are forgotten. The results were presented at USENIX Security ’18. The paper "Forgetting of Passwords: Ecological Theory and Data" is available at jannelindqvist.com/publications/USENIXSECURITY18-forgettingofpasswords.pdf
It is well known that text-based passwords are hard to remember and that users prefer simple (and non-secure) passwords. However, despite extensive research on the topic, no principled account exists for explaining when a password will be forgotten. This paper contributes new data and a set of analyses building on the ecological theory of memory and forgetting. We propose that human memory naturally adapts according to an estimate of how often a password will be needed, such that often used, important passwords are less likely to be forgotten. We derive models for login duration and odds of recall as a function of rate of use and number of uses thus far. The models achieved a root-mean-square error (RMSE) of 1.8 seconds for login duration and 0.09 for recall odds for data collected in a month-long field experiment where fre- quency of password use was controlled. The theory and data shed new light on password management, account usage, password security and memorability.