Understanding Password Preferences, Memorability, and Security through a Human-Centered Lens

TL;DR

This study explores how user behavior and visual attention during password creation influence password quality and memorability, revealing insights into human-AI password interactions and security design.

Contribution

It introduces a novel eye-tracking approach to understand the impact of visual engagement on password strength and memorability in human-AI password generation.

Findings

Participants preferred self-generated passwords despite stronger AI suggestions.

Visual attention to contextual cues correlates with higher password entropy.

AI-generated passwords trade off strength for memorability.

Abstract

Passwords remain the primary authentication method, yet user-created passwords are often the weakest due to the security-usability trade-off. Although AI-based password generators are emerging, little is known about their effectiveness and user perceptions. This eye-tracking study examined how behavior during password creation, selection, and memorization relates to objective and subjective password quality. Four password models, three AI-based (DeepSeek-API, ChatGPT-API, PassGPT) and one rule-based random generator, generated suggestions from participants' self-generated passwords across four website contexts. Eye movements were recorded throughout the experiment. Results confirm the expected trade-off between AI-generated password strength and human memorability but also reveal a novel behavioral link. Despite stronger AI-generated passwords, participants favored self-generated ones. Notably, visual attention to contextual cues was significantly correlated with higher password entropy. This suggests that security is shaped not only by the generation tool but also by users' visual engagement with contextual cues, highlighting the potential of attention-driven security design.