USC Password Study

You are invited to participate in a research study conducted by Professor Jelena Mirkovic and Simon Woo, at the University of Southern California. This webpage explains the structure and purpose of this study. You should ask questions about anything that is unclear to you (see Contact Information below).
This study examines the use of memorable experiences from a person's life for creation of unique, easy-to-remember, hard-to-guess passwords. You must be aged 18 or older to participate. Your participation is voluntary and you can quit at any time.

Study procedure

In the study you will create either ordinary passwords (OPs), 8-character long mix of letters, digits and symbols, or life-experience passwords (LEPs), which use facts from your life experiences. After a given time interval, you will be asked to return and authenticate with the password you have created. Some participants will be asked to return mutliple times to authenticate, or they may be asked to generate more than one LEP/OP pair. All participation is via online access.

Ordinary Password Generation

You will be asked to generate an ordinary, 8-character long, password, which is a mix of letters, digits and symbols. This should take no more than 5 minutes. For your protection, please do not reuse a password that you use for a login elsewhere.

LEP Generation

You will be asked to input information about a personal experience of your choice into our system, by answering questions posed by the system. We will use your input to extract facts about time, locations, people and activities in your experience. We will transform these facts into verification question/answer pairs. We will use the verification questions to prompt you during verification. The verification answers become your LEP.


After a given time interval, you will be asked to come back and authenticate with your password. We will invite you to this phase by email. This step will help us measure memorability of passwords, both OPs and LEPs.


We will measure how easy it would be for an attacker to guess your ordinary password using dictionary attacks with password hashes, and recruiting people to try and break your password.

We will also measure how easy it would be for a stranger to guess your LEP by mining popular answers to your verification questions, and comparing them to your verification answers.

Potential Risks and Discomforts

There is minimal risk to you from feeling discomfort if you choose to use an unpleasant memory to create a LEP. You are asked not to choose any events which involve illegal behavior or information that could have negative consequences for you, for example, cheating, theft, etc.

We will store all your answers in clear, but we will not ask any questions about your identity. Only research staff on this study will have access to this data. Please choose passwords and life-experiences that do not contain sensitive information.

Alternatives to Participation

There are no adverse effects to you if you choose not to participate in this study or if you decide to withdraw at any point.


The University of Southern California's Human Subjects Protection Program (HSPP) reviews and monitors research studies to protect the rights and welfare of research subjects. We will protect your privacy in the following way:
  1. You will be asked to input an e-mail address, or your MTurk ID when you enter the study.
  2. We will store all contact info during the study so we can send you reminder e-mails.
  3. Your contact info will be deleted after you complete the study.
  4. All your input will be stored on our server, indefinitely. Only our research staff will have access to this input. You have right to ask for this input to be removed by sending us an e-mail.
The data stored on our server will remain there indefinitely and may be used by us in future studies.

You have a right at any time to request this data to be removed from our server by sending email to the Principal Investigator at and providing the e-mail address you used to sign up for the study.

When the results of the research are published or discussed in conferences, no identifiable information will be used. We will list our publications and publications of any researchers who use this data at our project page:

Potential Benefits to Participants and/or to Society

You may not directly benefit from your participation in this study; however you may also learn how strong are your passwords (both ordinary and LEPs) against common password-cracking tools. Researchers hope this new approach to passwords can greatly improve existing user authentication systems, making passwords both more secure and more memorable.

Participation and Withdrawal

Your participation is voluntary. Your refusal to participate will involve no penalty or loss of benefits to which you are otherwise entitled. You may withdraw your participation at any time and discontinue without penalty. You are not waiving any legal claims, rights or remedies because of your participation in this research study.

Investigator's Contact Information

If you have any questions or concerns about the research, please feel free to contact the Principal Investigator Professor Jelena Mirkovic at: or telephone: 310-448-9170.

USC Information Sciences Institute
4676 Admiralty Way, Suite 1001
Marina del Rey, CA 90292
or via

IRB Contact Information

If you have questions, concerns, or complaints about your rights as a research participant you may contact the IRB directly at the information provided below. If you have questions about the research and are unable to contact the research team, or if you want to talk to someone independent of the research team, please contact the:

University Park Institutional Review Board (UPIRB)
3720 South Flower Street #301
Los Angeles, CA 90089-0702
(213) 821-5272

Please click Part 1 HERE to enter LEPs Usability Study.

Please click Part 2 HERE to enter LEPs Usability Study.

Please click Part 3 HERE to enter LEPs Usability Study.