TY - GEN
T1 - On the memorability of system-generated PINs
T2 - 11th Symposium on Usable Privacy and Security, SOUPS 2015
AU - Huh, Jun Ho
AU - Kim, Hyoungschick
AU - Bobba, Rakesh B.
AU - Bashir, Masooda N.
AU - Beznosov, Konstantin
N1 - Funding Information:
This work was supported in part by the National Research Foundation of Korea (No. 2014R1A1A1003707), the ITRC (IITP-2015-H8501-15-1008), the NIPA (NIPA-2014-H0301-14-1010), the Information Trust Institute at University of Illinois, and the School of EECS at Oregon State University. Authors would like to thank Andrew Patrick for shepherding the paper, and all the anonymous reviewers for their valuable feedback. Authors would also like to thank David Nicol of Information Trust Institute for supporting the initial study, and Ji Won Yoon for his help with the statistical analysis.
Funding Information:
Tffiis work was supported in part ffly tffie National Researcffi Foundation of Korea (No. 2014R1A1A1003fl0fl), tffie ITRC (IITP-2015-H8501-15-1008), tffie NIPA (NIPA-2014-H0301-14-1010), tffie Information Trust Institute at University of Illinois, and tffie Scffiool of EECS at Oregon State University.
PY - 2019
Y1 - 2019
N2 - To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied. We conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking1 techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. As one would expect, our study shows that system-generated 4-digit PINs outperform 6-, 7-, and 8-digit PINs in long-term memorability. Interestingly, however, we find that there is no statistically significant difference in memorability between 6-, 7-, and 8-digit PINs, indicating that 7-, and 8-digit PINs should also be considered when looking to increase PIN length to 6-digits from currently common length of 4-digits for improved security. By grouping all 6-, 7-, and 8-digit chunked PINs together, and comparing them against a group of all non-chunked PINs, we find that chunking, overall, improves memorability of system-generated PINs. To our surprise, however, none of the individual chunking policies (e.g., 0000-00-00) showed statistically significant improvement over their peer non-chunked policies (e.g., 00000000), indicating that chunking may only have a limited impact. Interestingly, the top performing 8-digit chunking policy did show noticeable and statistically significant improvement in memorability over shorter 7-digit PINs, indicating that while chunking has the potential to improve memorability, more studies are needed to understand the contexts in which that potential can be realized.
AB - To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased security we get from using system-generated PINs, however, comes at the cost of memorability. And while banks are increasingly adopting system-generated PINs, the impact on memorability of such PINs has not been studied. We conducted a large-scale online user study with 9,114 participants to investigate the impact of increased PIN length on the memorability of PINs, and whether number chunking1 techniques (breaking a single number into multiple smaller numbers) can be applied to improve memorability for larger PIN lengths. As one would expect, our study shows that system-generated 4-digit PINs outperform 6-, 7-, and 8-digit PINs in long-term memorability. Interestingly, however, we find that there is no statistically significant difference in memorability between 6-, 7-, and 8-digit PINs, indicating that 7-, and 8-digit PINs should also be considered when looking to increase PIN length to 6-digits from currently common length of 4-digits for improved security. By grouping all 6-, 7-, and 8-digit chunked PINs together, and comparing them against a group of all non-chunked PINs, we find that chunking, overall, improves memorability of system-generated PINs. To our surprise, however, none of the individual chunking policies (e.g., 0000-00-00) showed statistically significant improvement over their peer non-chunked policies (e.g., 00000000), indicating that chunking may only have a limited impact. Interestingly, the top performing 8-digit chunking policy did show noticeable and statistically significant improvement in memorability over shorter 7-digit PINs, indicating that while chunking has the potential to improve memorability, more studies are needed to understand the contexts in which that potential can be realized.
KW - Chunking
KW - PINs
KW - Passwords
KW - Policy
KW - Security
KW - Usability
UR - http://www.scopus.com/inward/record.url?scp=85075913884&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075913884&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85075913884
T3 - SOUPS 2015 - Proceedings of the 11th Symposium on Usable Privacy and Security
SP - 197
EP - 209
BT - SOUPS 2015 - Proceedings of the 11th Symposium on Usable Privacy and Security
PB - USENIX Association
Y2 - 22 July 2015 through 24 July 2015
ER -