You are here: Home Contents V14 N1 V14N1_Kavrestad.html
Personal tools

The Development of a Password Classification Model



Full text

Journal of Information Systems Security
Volume 14, Number 1 (2018)
Pages 3146
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Joakim Kävrestad — University of Skövde, Sweden
Fredrik Eriksson — University of Skövde, Sweden
Marcus Nohlberg — University of Skövde, Sweden
Information Institute Publishing, Washington DC, USA




In order to ensure that we are the only ones that can access our data, we use authentication to secure our computers and different online accounts. Passwords remain the most common type of authentication, even if there are several different ways to authenticate, including biometrics and tokens. With this study we aim to reveal and collect the different strategies that users are using when designing their passwords. To achieve this, a model was developed using interactive interviews with computer forensic experts. The model was then applied on 5,000 passwords gathered from 50 different password databases that had leaked to the Internet. The result is a model that can be used to classify passwords based on the strategy used to create them. As such, the results of this study increase the understanding of passwords and they can be used as a tool in education and training, as well as in future research.




Passwords, Categorization, Classification, Strategies, Model




Blashki, K. & Nichol, S. 2005. Game geek's goss: linguistic creativity in young males within an online university forum. Australian Journal of Emerging Technologies and Society 3(2), 77–86 (2005).

Fahdi, M., Clarke, N.L. and Furnell, S.M. 2013. Challenges to Digital Forensics: A Survey of Researchers & Practitioners Attitudes and Opinions. 2013 Information Security for South Africa. pp. 1 – 8.

Florêncio, D. and Herley, C. 2007. A Large Scale Study of Web Password Habits. WWW '07 Proceedings of the 16th international conference on World Wide Web. pp 657 – 666.

Fung, G., Lau, R. and Liu, J. 1997. A Signature Based Password Authentication Method. Systems, Man and Cybernetics, 1997. Computational Cybernetics and Simulation, IEEE, Orlando, USA.

Kuo, C., Romanosky, S. and Cranor, L. 2006. Human Selection of Mnemonic Phrase-based Passwords, kuo_

romanosky_cranor_mnemonic.pdf, last accessed 2017/03/07.

Lincoln, Y., & Guba, E. 1985. Naturalistic Inquiry. London: SAGE Publications.

Nielsen, G., Vedel, M. and Jensen, C. 2004. Improving Usability of Passphrase Authentication. 2014 Twelfth Annual Conference on Privacy, Security and Trust (PST), IEEE, Toronto, Canada.

Pfleeger, C., Pleeger, S. and Margulies, J. 2015. Security in Computing. 5th edn. pp 86 – 124. Prentice Hall Press Upper Saddle River, NJ, USA. Homepage,, last accessed 2017/20/06.

Robson, C. 2011. Real World Research 3rd ed. Chichester: John Wiley & Sons.

Ross, N.: Writing in the Information Age. 2006. English Today 22(3) 39 – 45.

SANS Homepage,, last accessed 2017/02/05.

Sawyer, D. 1990. The characteristics of user-generated passwords,, last accessed 2017/03/06.

Schrittwieser, S., Mulazzani, M., and Weippl, E. 2103. Ethics in Security Research - Which Lines Should Not Be Crossed? Security and Privacy Workshops (SPW), 2013 IEEE, San Francisco, USA.

Skogberg A. 2016. Vad gör en it-forensiker? Svensk Polis,, last accessed 2017/02/03.

Zivran, M. and Hara, W. Passwords Security. 2012. An Exploratory Study,, last accessed 2017/03/06.

Zivran, M. A Comparison of Password Techniques for Multilevel Authentication Mechanisms,

comparisonofpass00zvir.pdf?sequence=1&isAllowed=y, last accessed 2017/03/06