CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy in Information Systems (DISS)


College of Engineering and Computing


Yair Levy

Committee Member

Herbert Mattord

Committee Member

Wei Li


Information technology, Access Control, Authentication, Cognitive Load Theory, Password Complexity Paradox, Passwords, Password Strength


The proliferation of information systems (IS) over the past decades has increased the demand for system authentication. While the majority of system authentications are password-based, it is well documented that passwords have significant limitations. To address this issue, companies have been placing increased requirements on the user to ensure their passwords are more complex and consequently stronger. In addition to meeting a certain complexity threshold, the password must also be changed on a regular basis. As the cognitive load increases on the employees using complex passwords and changing them often, they may have difficulty recalling their passwords. As such, the focus of this experimental study was to determine the effects of raising the cognitive load of the authentication strength for users upon accessing a system via increased strength for passwords requirements. This experimental research uncovered the point at which raising the authentication strength for passwords becomes counterproductive by its impact on end-user performances.

To investigate the effects of changing the cognitive load (via different password strength) over time, a quasi-experiment was proposed. Data was collected in an effort to analyze the number of failed operating system (OS) logon attempts, users’ average logon times, average task completion times, and number of requests for assistance (unlock & reset account). Data was also collected for the above relationships when controlled for computer experience, age, and gender. This quasi-experiment included two experimental groups (Group A & B), and a control group (Group C). There was a total of 72 participants from the three groups. Additionally, a pretest-posttest experiment survey was administered before and after the quasi-experiment. Such assessment was done in an effort to see if user’s perceptions of password use would be changed by participating in this experimental study. The results indicated a significant difference between the user’s perceptions about passwords before and after the quasi-experiment.

The Multivariate Analysis of Variance (MANOVA) and Multivariate Analysis of Covariate (MANCOVA) tests were conducted. The results revealed a significance difference on the number of failed logon attempts, average logon times, average task completion, and amount of request for assistance between the three groups (two treatment groups & the control group). However, no significant differences were observed when controlling for computer experience, age, and gender. This research study contributed to the body of knowledge and has implications for industry as well as for further study in the information systems domain. It contributed by giving insight into the point at which an increase of the cognitive load (via different password strengths) become counterproductive to the organization by causing an increase in number of failed OS logon attempts, users' average logon times, average task completion times, and number of requests for assistance (unlock and reset account). Future studies may be conducted in the industry as results by differ from college students.