M.J. Smith and G. Salvendy (Eds.): Human Interface, Part I, HCII 2009, LNCS 5617, pp. 693–701, 2009. © Springer-Verlag Berlin Heidelberg 2009 Effects of a Mnemonic Technique on Subsequent Recall of Assigned and Self-generated Passwords Deborah L. Nelson and Kim-Phuong L. Vu Department of Psychology, California State University, Long Beach 1250 N. Bellflower Blvd., Long Beach, CA 90840, USA deborah.l.nelson@gmail.com, kvu8@csulb.edu Abstract. Participants were trained on how to use a mnemonic strategy for memorizing assigned passwords or for generating new passwords. Memory for these passwords was examined at short and long recall delays. There was a sig- nificant interaction between type of password and recall delay for both the amount of time and number of attempts needed for participants to accurately re- call their passwords. Participants trained in how to use the mnemonic technique to generate their own passwords were able to recall them more quickly and ac- curately than participants who were trained in how to use the mnemonic tech- nique to memorize their assigned passwords. The impact of self-generated passwords on memory was discussed as well as the relative value of the mne- monic training strategy. Areas of future research were identified that may lead to the development of mnemonic training strategies to better enable users to re- call their passwords. Keywords: memory training programs, mnemonics, retrieval strategies, pass- words, proactive password checking. 1 Introduction It is well-documented that people have a hard time remembering their passwords, and current trends indicate that the number of password-protected accounts managed by a person will only continue to grow [1]. Because of the difficulty people have recalling the passwords they have created, people tend to choose passwords that are simple and relatively easy to remember [2] and often share the same password across multiple accounts [1]. During the past few years, many alternatives to alphanumeric password methodologies; such as biometrics, keystroke rate, graphical patterns, and voice rec- ognition have been touted as providing better security and/or authentication proce- dures [3], [4], [5], [6], [7]. However, due to the high cost and limited availability of many of these alternative methods, alphanumeric passwords are likely to remain the primary method of user-authentication for the foreseeable future. People have done little to improve password security on their own. Passwords ana- lyzed from a UNIX time-sharing system in 1979 [8] were shown to be an average length of 4 characters and were primarily comprised of all lower case letters, digits, or a combination of the two. Thirty years later, the passwords of half a million Microsoft