Usability Study Experiment Design

This lab-based study investigated the usability (effectiveness in terms of the memorability and efficiency in terms of the password registration and authentication time) of multiple passwords in PHAS. An experimental framework similar to the one reported by Moncur & Leplatre (2007) and Chiasson et al. (2009) was used to conduct US3. The experimental framework used to conduct US3 is discussed below.

152

Stage 1(Day 1): Each subject was asked to register with four passwords, one of each image type (Mikon, doodle, art and object). Each password consisted of four target images and the associated hints. Each subject was given an instruction sheet that explained both the registration and login processes. They were told that their passwords were for four specific accounts: banking; online shopping; personal email and social networking. This ensured that participants had a context to use, in differentiating their multiple passwords. The subjects were not given any information or suggestion as to the strategy to be adopted for creating the passwords and corresponding hints. The instructions regarding the hints were:

 They should be one or more words long, in any language, but must be typed in English characters (maximum length for each hint being six words). The restriction imposed on the length of the hints ensured that these are not too long;

 Each hint should be something which will help a legitimate user to recognize the target images at a later date and, ideally, not be useful to anyone else trying to guess the target images.

A distraction task was given to the subjects after registering with each password. These were also used in the study reported in Chiasson et al. (2009) and are intended to clear the working textual memory and verbal memory, when multiple passwords are created simultaneously in a single session. The distraction tasks in US3 included listening to songs, watching funny videos, solving word puzzles and answering a quiz about the University. Each distraction task lasted for about 8-10 minutes.

Each subject had to authenticate three times, with each of their passwords. The system displayed the password in the case of three failed authentication attempts. Finally, the subjects were asked to categorize the hints they had used for each of the target images into one of the selected types of explicit memory (episodic, flashbulb etc.) discussed in Section 6.4.2. The login success was not analysed for this stage.

Stage 2- Retention test (14 days after Stage 1): Each subject was asked to authenticate three times using the hints. There were no practice session in between stage 1 and 2. This experimental design helped to examine the usability of multiple PHAS passwords, when they have not been used for a considerable period of time.

153

6.4.2Usability Study Results

The independent variables in US3 are the four different image types Mikon; doodle; art; object. The dependent variables and the corresponding results are discussed below.

(A) Effectiveness

The mean login success percentage (SP5) of each subject in each condition (image type) is calculated using Eq. 6.1.

SP5= Successful attempts/ Total attempts (

Table 6.1 presents the descriptive statistics for the measure SP5.

Conditions SP5% SE SD

Mikon 95 3.49 22.07 Doodle 95 3.49 22.07 Art 97.5 2.5 15.81 Object 97.5 2.5 15.81

Table 6.1: Descriptive statistics for mean login success percentage in US3

SP5 for each of the conditions was not normally distributed as assessed by the Shapiro-Wilk test. A Friedman test showed that there is no significant difference between the conditions (2 = 0.667, df =3, p=0.88). Wilcoxon post hoc test did not show any significant difference between each pair of conditions. Out of 160 passwords only 6 (3.75%), were not memorable. This demonstrates the effectiveness of PHAS, when the users have to remember multiple passwords.

(B) Efficiency

The mean registration time (RegT3) and mean authentication time (AuT3) was calculated to assess the efficiency of PHAS.

Registration time: The descriptive statistics for RegT3 are given in Table 6.2. The box plots for the RegT3 distribution is shown in Figure 6.3. The RegT3 in each of the conditions was normally distributed as assessed by the Shapiro-Wilk test. A Repeated Measure ANOVA was chosen to examine the statistical significance. Since the estimate of the sphericity (0.78)

154

was greater than 0.75, a Huynh-Feldt correction was used. The result showed no significant difference between the RegT in each of the conditions (F= 1.372, p=0.258, df = 3). The post hoc comparisons also demonstrated no significant differences between all pairs of conditions. According to the descriptive statistics presented in Table 6.2, the decreasing order of RegT3 is: Doodle ≥ Mikon ≥ Art ≥ Object, but this is not statistically significant.

Conditions RegT3 (seconds) SE SD

Mikon 57.78 1.42 9.01 Doodle 58.03 0.87 5.14 Art 56.88 0.86 5.46 Object 55.63 0.86 5.47

Table 6.2: Descriptive statistics for mean registration time in US3

Figure 6.3: Box plot showing the registration time distribution in US3

Authentication time: The mean authentication time (AuT3) of the passwords for the successful authentication attempts in each condition is reported in Table 6.3. The box plots for the authentication time distribution in each condition are shown in Figure 6.4.

155

Conditions AuT3 (seconds) SE SD

Mikon 15.88 0.57 3.65 Doodle 17.15 0.44 2.80

Art 13 0.35 2.25

Object 13.57 0.33 2.09

Table 6.3: Descriptive statistics for mean authentication time in US3

Figure 6.4: Box plots showing distribution of the authentication time in US3

AuT3 for each of the conditions was not normally distributed as assessed by the Shapiro-Wilk test. A Friedman test showed that there is no significant difference between the conditions (2 = 37.36, df =3, p<0.001). Wilcoxon post hoc test showed significant difference between all pairs of conditions, except Doodle-Mikon and Object-Art. According to the descriptive statistics presented in Table 6.3 and the significance tests, the decreasing order of AuT3 is: Doodle ≥ Mikon > Object ≥ Art. The box plots show that the art passwords have two outliers, i.e. two subjects taking longer time to authenticate than the majority of the sample population. In both cases (outliers), subjects were not able to find the association between the hint and some of the target images forming the password. This might be due to nature of the

156

hints provided by these subjects. Since, we did not ask the subjects the reason for the delay in authenticating; this aspect is not discussed further, in the context of the art passwords in PHAS.

(C) Categories of Hints

All the subjects were asked to categorize each of their hints. The categories were: episodic memory; flashbulb memory; sign/context; descriptive knowledge; randomly chosen. The details and explanations for all the categories were provided to the subjects, which were similar to the ones described in the cognitive theory (Section 6.2). Figure 6.5 shows the responses given by 40 subjects for each hint created by them.

Figure 6.5: Responses given by the subjects in US3 in context to hint categorization Please note that each password in PHAS is composed of four target images and each image has a hint. The number of images having descriptive hints in the case of art passwords was (32/160), which is lower than compared to Mikon (80/160), doodle (78/160) and object (78/160). Further analysis revealed that the number of passwords having descriptive hints for all the target images is also considerably lower, in the case of art passwords than the others, as shown in Table 6.4. Descriptive hints are interesting in the sense that they can not only enhance memorability, but can also help an attacker to guess the target images. In this context, the results reported in Chapter 4 (Table 4.9) show that RBGS passwords can be effectively guessed using denotative descriptions of the target images.

0 10 20 30 40 50 60 70 80 90

Episodic Flashbulb internal state

Sign/context Descriptive Random

N u mbe r o f hin ts in e ac h c atego ry Different Categories Mikon Doodle Art Object

157

Passwords having descriptive hints for 4 T images 3 T images 2 T images 1 T image

Mikon 8 8 7 10

Doodle 7 8 8 10

Art 1 3 5 9

Object 8 8 8 6

Table 6.4: Passwords having descriptive hints, T denotes target images

Figure 6.6 (below) presents a number of art images together with their hint and the corresponding hint category.

(i) (ii) (iii)

Hint: Table Hint: Serene Hint: Interiors

Category: Descriptive Category: Flashbulb Category: internal state

(iv) (v) (vi)

Hint: Rajasthani Hint: Sistine Hint: crying

Category: sign Category: Episodic Category: context Figure 6.6 (i to vi): Art images in PHAS with hints and respective categories

158