Writing down your password: Does it help?

Users are able to remember their phone numbers and postal codes, their student numbers, PIN numbers, and social insurance numbers. Why, then, do users have trouble remembering their passwords? This paper considers the hypothesis that being able to access written notes when needed would eventually help users to memorize the password. Further we hypothesize that writing down passwords encourages the use of passwords that are more complex than their unwritten (memorized) counterparts. We surveyed 31 participants on their opinions and experiences with writing down passwords and tested whether these participants created more complex passwords when they were encouraged to write them down. Finally, we observed whether written passwords had higher login success rates when tested again at least one week later. Results indicate that regardless of the experimental condition, users preferred to memorize their passwords than to take the extra step of referring to their written notes. Additionally, memorized and written passwords were remembered equally well. Finally, we found that users who had difficulty logging in had passwords with significantly higher mean entropy, which confirms the heuristic that complex passwords are harder to remember. We also unexpectedly found that users password habits are so strongly ingrained that they often ignored our instructions about writing or memorizing their password and continued to use their preestablished strategy. This observation is noteworthy for anyone conducting user authentication research.