Cognitive passwords are typically realized using “one size fits all” fact‐based or opinion‐based questions, and as such are prone to guessing attacks. The purpose of this paper is to propose a method of personalizing cognitive passwords to individual users, to close this loophole, and evaluate its performance against rigid cognitive passwords.
A personalized questionnaire formulated by the subjects was benchmarked against a rigid questionnaire in terms of recall and security. The evaluation employed two constructs used extensively in previous research, namely, Recall – the success in remembering a password, and Secrecy – the likelihood that the password cannot be guessed.
While the experiment found that personalization increases the recall of cognitive passwords, it showed no improvement in secrecy (reducing guessing rates).
The study was conducted in an academic environment with young freshmen students thereby limiting external validity. Another problem might stem from the difference in the length of the questionnaires between groups in order to minimize drop‐out rates.
Secrecy was and still is the Achilles heel of the cognitive password mechanism and therefore the results imply that some restrictions should be imposed to prevent selection of over‐simplistic cognitive passwords.
This study is important because it is the first of its kind – benchmarking recall and secrecy of two types of cognitive authentication methods – rigid and personalized.
Lazar, L., Tikolsky, O., Glezer, C. and Zviran, M. (2011), "Personalized cognitive passwords: an exploratory assessment", Information Management & Computer Security, Vol. 19 No. 1, pp. 25-41. https://doi.org/10.1108/09685221111115845Download as .RIS
Emerald Group Publishing Limited
Copyright © 2011, Emerald Group Publishing Limited