User Perceptions of Five-Word Passwords.

Human-chosen passwords are often short, selected non-uniformly, and thus, susceptible to automated guessing attacks. To help users to select more secure but memorable passwords, experts have recommended the use of passphrases of multiple words or phrases. In this paper, we explore a strategy for passphrase selection, so-called five-word passwords, where users are assigned five random words for a passphrase. Such a password composition policy was recently adopted at Georgetown University in December 2020. Through a two-part online survey (n = 150 and n = 116), participants selected a five-word password under different conditions. We find that computer-generated five-word passwords are more diverse and likely more secure than five-word passwords users select themselves. While all cases of five-word passwords are likely more secure than a human-generated, traditional password, participants expressed misconceptions regarding the security of five-word passwords (and passwords generally). Five-word passwords also appear to negatively impact usability, only 39.7 % of participants successfully recalled their password after two weeks. While five-word passwords offer improvements for security, more outreach is needed to explain their security benefits and reduce usability burdens.