Supporting Statement

Department of Commerce (DOC)/National Institute of Standards and Technology (NIST)

Generic Clearance for Usability Data Collections

OMB Control No. 0693-0043

Expiration Date: 03/31/2016

Information Technology Laboratory, Computer Security Division

Password Generation Study Post-Task Questionnaire

1. Explain who will be surveyed and why the group is appropriate to survey.

The Information Technology Laboratory’s (ITL) Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST) would like to update the password sections of NIST Special Publication 800-63 Electronic Authentication Guideline. Currently the password sections discuss only security considerations. CSD would also like to include usability considerations in the update. These usability considerations should be based on empirical data on human memory constraints, character string typing errors, and password usage. This study is a first step in collecting empirical data to complement the security data.

As part of a usability study, we intend to recruit 200 individuals using an existing contract, Fors Marsh Group (FMG), which provides a database of over 10,000 people who have participated in previous usability studies. The subjects will perform password generation tasks. They will be given password requirements and asked to generate passwords to satisfy the requirements. They will perform the password generation tasks with two different sets of password requirements. Password requirements consist of rules that need to be satisfied, such as minimum and/or maximum length of characters allowed, use of upper or lower case letters, use of numbers, use of special characters, etc. After the password generation task, subjects will be asked to select a password for different types of hypothetical accounts, such as email, online bank, social media, or news. Finally, subjects will be asked to log into those hypothetical accounts with the passwords they selected previously. We will measure the number of passwords generated, the time it takes to generate the passwords, the strength of the passwords generated, and the accuracy and speed of logging into the hypothetical accounts.

This study was designed to detect (1) the number of passwords generated as a function of password requirements; (2) the relationship between the strength of the chosen passwords and the types of accounts; (3) the relationship between the strength of the chosen passwords and the speed/accuracy of logging in. A statistical power analysis concluded that 200 individuals should be a sufficient number to detect these effects. The survey data to be collected from each individual will identify subjects’ perceptions of the strength, ease of remembering, and ease of typing the passwords generated in this study.

2. Explain how the survey was developed including consultation with interested parties, pretesting, and responses to suggestions for improvement.

This usability questionnaire has been developed based on standard templates used by our usability group. Similar questions were piloted and validated in previously approved usability studies. We have incorporated the feedback and suggestions from the previous studies into the task evaluation questions and believe the form is highly usable in its current form.

3. Explain how the survey will be conducted, how customers will be sampled if fewer than all customers will be surveyed, expected response rate, and actions your agency plans to take to improve the response rate.

Prior to participation, all subjects sign a consent form that fully explains the study and the survey. After each subject has performed the password generation and selection tasks, a paper or electronic copy of the survey instrument, Password Generation Study Post-Task Questionnaire will be provided to the subject for completion. The questions are based on standardized methods in the usability field, specifically the Questionnaire for User Interaction Satisfaction (QUIS) (http://www.lap.umd.edu/QUIS/index.html). A copy of that document has been uploaded into ROCIS.

The expected response rate will be 100% since each subject will be provided the survey by the test facilitator and will complete the survey as part of the overall usability test.

4. Describe how the results of the survey will be analyzed and used to generalize the results to the entire customer population.

The data in the task evaluations will be subjected to statistical analysis and form a primary outcome of the experiment. We intend to perform an analysis of variance to identify the sources of variability from one or more of the factors. By varying the factors in a predetermined pattern and analyzing the output, we plan to make an accurate assessment as to how different password requirements may affect the password generation space and how different types of accounts may affect the selection of passwords. The data collected will be used to update the guidance on password rules for password policies in NIST Special Publication 800-63. No generalization will be used.