A Systematic Review of Cognitive Passwords: Limitations, Challenges, and Solutions

Journal of Intelligent Communication

Review

A Systematic Review of Cognitive Passwords: Limitations, Challenges, and Solutions

Downloads

https://doi.org/10.54963/jic.v5i1.1697
Alwajeeh, M. S., Sufyan, M. M. A., Al‑Sarori, M. H., Al‑Asaly, M., & Al‑Maamari, G. A. A. (2025). A Systematic Review of Cognitive Passwords: Limitations, Challenges, and Solutions. Journal of Intelligent Communication, 5(1), 1–23. https://doi.org/10.54963/jic.v5i1.1697
Volume 5 Issue 1: June 2026
Copyright (c) 2025 Mohammed Sharaf Alwajeeh, Mubarak Mohammed Al‑Ezzi Sufyan, Mokhtar H. Al‑Sarori, Mahfoudh Al‑Asaly, Ghassan Abdullah Abdulwasea Al‑Maamari
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Copyright

The authors shall retain the copyright of their work but allow the Publisher to publish, copy, distribute, and convey the work.

License

Journal of Intelligent Communication (JIC)  publishes accepted manuscripts under Creative Commons Attribution 4.0 International (CC BY 4.0). Authors who submit their papers for publication by Journal of Intelligent Communication (JIC) agree to have the CC BY 4.0 license applied to their work, and that anyone is allowed to reuse the article or part of it free of charge for any purpose, including commercial use. As long as the author and original source is properly cited, anyone may copy, redistribute, reuse and transform the content.

Authors

  • Mohammed Sharaf Alwajeeh

    Faculty of Information Technology and Computer Science, University of Saba Region, Marib, Yemen
  • Mubarak Mohammed Al‑Ezzi Sufyan

    Department of Computer Information Systems, Al‑Jawf Faculty, University of Saba Region, Marib, Yemen
  • Mokhtar H. Al‑Sarori

    Faculty of Information Technology and Computer Science, University of Saba Region, Marib, Yemen
  • Mahfoudh Al‑Asaly

    Department of Information Technology, College of Computer, Qassim University, Buraydah 51174, Saudi Arabia
  • Ghassan Abdullah Abdulwasea Al‑Maamari

    Faculty of Information Technology and Computer Science, University of Saba Region, Marib, Yemen

Received: 12 October 2025; Revised: 20 November 2025; Accepted: 28 November 2025; Published: 12 December 2025

This study provides a comprehensive analysis of cognitive password systems as a secure and user-friendly alternative to traditional authentication mechanisms. Cognitive passwords leverage human memory, behavior, and perception to enhance usability while mitigating common security challenges such as poor memorability, password reuse, and susceptibility to attacks. The study systematically reviews various models, including graphical passwords, cognitive biometrics, and cognitive one-time passwords (OTPs), highlighting their strengths and limitations. To ensure a transparent and rigorous review, we employed a structured methodology comprising a multi-database literature search, clearly defined inclusion and exclusion criteria, and a thematic synthesis of the collected studies. Our findings indicate that cognitive password systems offer significant improvements in user experience and security but face critical challenges, including accessibility for individuals with cognitive or physical impairments, privacy concerns, vulnerability to social engineering, and scalability limitations. Furthermore, artificial intelligence (AI) emerges as a key enabler for enhancing personalization, adaptive authentication, and real-time security risk assessment. The study underscores the necessity of integrating AI thoughtfully to maximize the benefits of cognitive passwords. Overall, this research demonstrates the transformative potential of cognitive password systems in cybersecurity, emphasizing that addressing usability, privacy, and scalability challenges is essential for their practical adoption. The findings provide actionable insights for system designers, policymakers, and researchers aiming to advance secure and user-centered authentication frameworks.

Keywords:

Cognitive Password Security Usability Biometric Authentication

References

  1. Dias, N.; Reeja, S. A systematic approach towards enhancing of security and usability of graphical password through cognitive computing and data mining. Indian J. Comput. Sci. Eng. 2021, 12, 1789–1802. DOI: https://doi.org/10.21817/INDJCSE/2021/V12I6/211206147
  2. Palmgren, M.; Byström, M. Cognitive authentication schemes–traditional password replacement? Master Thesis, KTH, School of Computer Science and Communication (CSC), Stockholm, Sweden, 2011.
  3. Haga, W.J.; Zviran, M. Question-and-answer passwords: An empirical evaluation. Inf. Syst. 1991, 16, 335–343. DOI: https://doi.org/10.1016/0306-4379(91)90005-T
  4. Weiss, R.D.L.; Alexander, A. PassShapes: Utilizing stroke based authentication to increase password memorability. In Proceedings of the NordiCHI '08: 5th Nordic Conference on Human-Computer Interaction: Building Bridges, Lund Sweden, 20–22 August 2008; pp. 383–392. DOI: https://doi.org/10.1145/1463160.1463202
  5. Podd, J.B.; Reid, H.J. Cost-effective computer security: Cognitive and associative passwords. In Proceedings of the Sixth Australian Conference on Computer-Human Interaction, Hamilton, New Zealand, 2002; pp. 304–305. DOI: https://doi.org/10.1109/OZCHI.1996.560026
  6. Al-Slais, Y.; El-Medany, W.M. User-centric adaptive password policies to combat password fatigue. Int. Arab J. Inf. Technol. 2022, 19, 55–62.
  7. Gaw, S.; Felten, E.W. Password management strategies for online accounts. In Proceedings of the Second Symposium on Usable Privacy and Security, Pittsburgh, PA, USA, 12–14 July 2006; pp. 44–55.
  8. Lamond, M.; Wood, L.; Prior, S. Cognitive processes underpinning children’s password practice. In Proceedings of the BPS Cyberpsychology Section Annual Conference 2024, Liverpool, UK, 1–2 July 2024.
  9. Choong, Y.-Y.; Theofanos, M.; Renaud, K.; et al. Case Study—Exploring Children's Password Knowledge and Practices; Workshop on Usable Security (USEC): San Diego, CA, USA, 2019. DOI: https://dx.doi.org/10.14722/usec.2019.23027
  10. Zimmermann, V.; Marky, K.; Renaud, K. Hybrid password meters for more secure passwords–a comprehensive study of password meters including nudges and password information. Behav. Inf. Technol. 2023, 42, 700–743.
  11. Safder, W. Password security, an analysis of authentication methods. Master’s Thesis, Luleå University of Technology, Luleå, Sweden, 2024.
  12. Zhang, J.; Luo, X.; Akkaladevi, S.; et al. Improving multiple-password recall: An empirical study. Eur. J. Inf. Syst. 2009, 18, 165–176.
  13. Woods, N. Improving the security of multiple passwords through a greater understanding of the human memory. PhD Thesis, University of Jyväskylä, Jyväskylä, Finland, 2016.
  14. Lazar, L.; Tikolsky, O.; Glezer, C.; et al. Personalized cognitive passwords: An exploratory assessment. Inf. Manag. Comput. Secur. 2011, 19, 25–41.
  15. Sodhro, A.H.; Sennersten, C.; Ahmad, A. Towards cognitive authentication for smart healthcare applications. Sensors 2022, 22. DOI: https://doi.org/10.3390/s22062101
  16. Zviran, M.; Haga, W.J. Cognitive passwords: The key to easy access control. Comput. Secur. 1990, 9, 723–736.
  17. Al-Ameen, M.N.; Wright, M.; Scielzo, S. Towards making random passwords memorable: Leveraging users' cognitive ability through multiple cues. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, Seoul, Korea, 18–23 April 2015; pp. 2315–2324.
  18. Naik, S.R.; Vasudeva, S.S.; Shrilakshmi, K.; et al. Advancements in user security: Enhancing usability with graphical password authentication. In Proceedings of the 2nd International Conference on Intelligent Data Communication Technologies and Internet of Things (IDCIoT), Bengaluru, India, 4–6 January 2024; pp. 454–460.
  19. Kävrestad, J.; Hagberg, A.; Roos, R.; et al. Usable privacy and security from the perspective of cognitive abilities. In Proceedings of the 16th IFIP International Summer School on Privacy and Identity Management (Privacy and Identity), Online, 16–20 August 2021; pp. 105–121.
  20. Goldberg, I.; McGregor, H.R.; Moore, C.B.; et al. Cognitive password pattern checker to enforce stronger, unrepeatable passwords. U.S. Pat. Appl. US 9836595B1, 23 January 2017.
  21. Cabarcos, P.A.; Mayer, P. The more accounts I use, the less I have to think: A longitudinal study on the usability of password managers for novice users. In Proceedings of the Twenty-First Symposium on Usable Privacy and Security (SOUPS 2025), Seattle, WA, USA, 11–12 August 2025; pp. 351–369.
  22. Loos, L.A.; Ogawa, M.-B.C.; Crosby, M.E. Cognitive variability factors and passphrase selection. In Proceedings of the Augmented Cognition. Human Cognition and Behavior: 14th International Conference, AC 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, 19–24 July 2020; pp. 383–394.
  23. Contreras, J. Cognitive cryptography using behavioral features from linguistic-biometric data. Cryptology ePrint Arch. 2023. Available from: https://eprint.iacr.org/2023/046.pdf
  24. Alroomi, S.; Li, F. 2023. Measuring website password creation policies at scale. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark, 26–30 November 2023; pp. 3108–3122.
  25. Ogiela, U. Cognitive Cryptography for Data Security in Cloud Computing. Concurr. Comput. Pract. Exp. 2020, 32. DOI: https://doi.org/10.1002/cpe.5557
  26. Kennison, S.M.; Chan-Tin, E. Personality and Cognitive Factors in Password Security Behaviors. N. Am. J. Psychol. 2023, 25, 599–618.
  27. Werner, S.; Hoover, C. Cognitive Approaches to Password Memorability–The Possible Role of Story-Based Passwords. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Boston, MA, USA, 22–26 October 2012; pp. 1243–1247.
  28. Weinshall, D. Cognitive Authentication Schemes for Unassisted Humans, Safe against Spyware. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), Berkeley, CA, USA, 21–24 May 2006; pp. 295–300.
  29. Wash, R.; Rader, E. Prioritizing Security over Usability: Strategies for How People Choose Passwords. J. Cybersecur. 2021, 7, tyab012.
  30. Wijayarathna, C.; Arachchilage, N.A. Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, Christchurch, New Zealand, 28–29 June 2018; pp. 205–210.
  31. Sarkhoshi, M.; Li, Q. Cognitive Graphical Password Based on Recognition with Improved User Functionality. In Proceedings of the 12th CS & IT Conference, Sydney, Australia, 22–24 December 2022; pp. 17–24.
  32. Lapin, K.; Šiurkus, M. Balancing Usability and Security of Graphical Passwords. In Proceedings of the Conference on Multimedia, Interaction, Design and Innovation, Warsaw, Poland, 9–10 December 2021; pp. 153–160.
  33. Patil, N.; Bhutkar, G.; Patil, P.; et al. Graphical-Based Password Authentication. In Proceedings of the International Conference on ICT for Sustainable Development, Goa, India, 21–23 September 2023; pp. 411–419.
  34. Balayogi, G.; Kuppusamy, K.S. An Approach for Mitigating Cognitive Load in Password Management by Integrating QR Codes and Steganography. Secur. Priv. 2024, 7, e447. DOI: https://doi.org/10.1002/spy2.447
  35. Krzyworzeka, N.; Ogiela, L.; Ogiela, M.R. Cognitive CAPTCHA Password Reminder. Sensors 2023, 23, 3170.
  36. Khan, A.; Chefranov, A.G. A Captcha-Based Graphical Password with Strong Password Space and Usability Study. In Proceedings of the 2020 International Conference on Electrical, Communication, and Computer Engineering (ICECCE), Istanbul, Turkey, 12–13 June 2020; pp. 1–6.
  37. Grunin, G.; Nassar, N.M.; Nassar, T.M. System, Method and Computer Program Product for Generating a Cognitive One-Time Password. U.S. Pat. Appl. US 7797336B2, 2 June 1997.
  38. Mogire, N.; Ogawa, M.-B.; Minas, R.K.; et al. Forget the Password: Password Memory and Security Applications of Augmented Cognition. In Proceedings of the Augmented Cognition: Users and Contexts: 12th International Conference, AC 2018, Held as Part of HCI International 2018, Las Vegas, NV, USA, 15–20 July 2018; pp. 133–142.
  39. Krzyworzeka, N.; Ogiela, L.; Ogiela, M.R. Cognitive-Based Authentication Protocol for Distributed Data and Web Technologies. Sensors 2021, 21, 7265.
  40. Deluca, L.S.; Kozloski, J.R.; Mizrachi, B.; et al. Cognitive Password Entry System. U.S. Pat. Appl. US 9942234B2, 30 November 2015.
  41. Horcher, A.-M.; Tejay, G.P. Building a Better Password: The Role of Cognitive Load in Information Security Training. In Proceedings of the 2009 IEEE International Conference on Intelligence and Security Informatics, Richardson, TX, USA, 8–11 June 2009; pp. 113–118.
  42. Abdrabou, Y.; Abdelrahman, Y.; Khamis, M.; et al. Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password Creation. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, Yokohama, Japan, 8–13 May 2014; pp. 1–7.
  43. Hoover, C.; Werner, S.; Cohen, R. Cognitive Authentication and Narrative Passwords. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 2014, 58, 1511–1515. DOI: https://doi.org/10.1177/1541931214581315
  44. Khare, K.; Rautji, S.; Gaur, D. Behavioural Biometrics and Cognitive Security Authentication Comparison Study. Adv. Comput. 2013, 4, 15.
  45. Ogiela, U.; Ogiela, M.R. Cognitive Approach for Creation of Visual Security Codes. In Advances in Intelligent Networking and Collaborative Systems. INCoS 2021. Lecture Notes in Networks and Systems; Barolli, L., Chen, H.C., Miwa, H. Eds.; Springer: Cham, Switzerland, 2022; Vol.312, pp. 107–111.
  46. Greenstadt, R.; Beal, J. Cognitive Security for Personal Devices. In Proceedings of the 1st ACM Workshop on AISec, Alexandria, VA, USA, 27–31 October 2008; pp. 27–30.
  47. Curran, K.; Doherty, J.; McCann, A.; et al. Good Practice for Strong Passwords. EDPACS 2011, 44, 1–13.
  48. Matthews, G.; Ateniese, G.; Barbará, D.; et al. Usage of an AI-Based Password Tool: Impacts of Security Fatigue, Age, and Individual Differences. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 2024, 68, 236–242.
  49. Parkin, S.; Krol, K.; Becker, I.; et al. Applying Cognitive Control Modes to Identify Security Fatigue Hotspots. In Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), Denver, CO, USA, 22 June 2016.
  50. Zviran, M.; Haga, W.J. User Authentication by Cognitive Passwords: An Empirical Assessment. In Proceedings of the 5th Jerusalem Conference on Information Technology 'Next Decade in Information Technology', Washington, DC, USA, 22–25 October 1990; pp. 137–144.
  51. Doerr, C.; Colagrosso, M.; Grunwald, D.; et al. Scalability of Cognitive Radio Control Algorithms. In 2008 3rd International Symposium on Wireless Pervasive Computing, Santorini, Greece, 7–9 May 2008; pp. 685–692.
  52. Ogiela, M.R.; Ogiela, L. Cognitive Codes for Authentication and Management in Cloud Computing Infrastructures. In Advances on P2P, Parallel, Grid, Cloud and Internet Computing. 3PGCIC 2018. Lecture Notes on Data Engineering and Communications Technologies; Xhafa, F., Leu, FY., Ficco, M.,; et al. Eds.; Springer: Cham, Switzerland. 2019; Vol 24, pp. 160–166.
  53. Fragkos, G.; Tryfonas, T. A Cognitive Model for the Forensic Recovery of End-User Passwords. In Proceedings of the Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007), Karlovassi, Greece, 27–28 August 2007; pp. 48–54.
  54. Alrubaish, H.; Saqib, N. Your Vital Signs as Your Password? In Recent Advances in Biometrics; Sarfraz, M. Ed.; IntechOpen: London, UK, 2022.
  55. Biswal, S. Emotionally Engaged Neurosymbolic AI for Usable Password Generation. In Proceedings of the International Conference on Advances in Data-Driven Computing and Intelligent Systems, Pilani, India, 21–23 September 2023; pp. 251–263.
  56. Dabeer, S.; Ahmad, M.; Sarosh Umar, M.; et al. A Novel Hybrid User Authentication Scheme Using Cognitive Ambiguous Illusion Images. In Data Communication and Networks. Advances in Intelligent Systems and Computing; Jain, L., Tsihrintzis, G., Balas, V., et al., Eds.; Springer: Singapore, 2019; Vol 1049, pp. 107–118.
  57. Raghavasimhan, T.; Manoj, S.; Sweetlin, J.D.; et al. Preventing Cryptographic Attacks Using AI-Hard Password Authentication. In Proceedings of the 2023 International Conference on Networking and Communications (ICNWC), Chennai, India, 5–6 April 2023; pp. 1–6.
  58. Ogiela, M.R.; Ogiela, L. Authentication Protocols Using Multi-Level Cognitive CAPTCHA. In Proceedings of the Advances in Internet, Data and Web Technologies: the 7th International Conference on Emerging Internet, Data and Web Technologies (EIDWT-2019), Fujairah, UAE, 26–28 February 2019; pp. 114–119.
  59. Awad, A.; Liu, Y. Cognitive Biometrics for User Authentication. In Biometric-Based Physical and Cybersecurity Systems; Obaidat, M.S., Traore, I., Woungang, I., Eds.; Springer International Publishing: London, UK, 2019; pp. 387–399.
  60. Belk, M.; Germanakos, P.; Fidas, C.; et al. Studying the Effect of Human Cognition on User Authentication Tasks. In Proceedings of the User Modeling, Adaptation, and Personalization: 21th International Conference, UMAP 2013, Rome, Italy, 10–14 June 2013; pp. 102–113.
  61. Perini, I.R.P. Access Control System Using Stimulus Evoked Cognitive Response. U.S. Pat. Appl. US 20140020089A1, 16 January 2014. Available from: https://patentimages.storage.googleapis.com/f3/c9/7e/007a9cbdb91539/US20140020089A1.pdf
  62. Di Campi, A.M.; Luccio, F.L. Accessible Authentication Methods for People with Diverse Cognitive Abilities. Univ. Access Inf. Soc. 2023, 24, 2195–2217.
  63. Hayes, J.; Li, X.; Wang, Y. “I Always Have to Think about It First”: Authentication Experiences of People with Cognitive Impairments. In Proceedings of the 19th International ACM SIGACCESS Conference on Computers and Accessibility, Baltimore, MD, USA, 20 October–1 November 2017; pp. 357–358.
  64. Dirks, S.; Bühler, C.; Edler, C.; et al. Cognitive Disabilities and Accessibility—Pushing the Boundaries of Inclusion Using Digital Technologies and Accessible eLearning Environments: Introduction to the Special Thematic Session. In Proceedings of the Computers Helping People with Special Needs: 17th International Conference, ICCHP 2020, Lecco, Italy, 9–11 September 2020; pp. 47–52.
  65. Kukawka, A.; Hassan, I.S. System and Method for Cognition-Dependent Access Control. A.U. Pat. Appl. AU 2016291812A1, 16 March 2009.
  66. Borina, M.; Kalister, E.; Orehovački, T. Web Accessibility for People with Cognitive Disabilities: A Systematic Literature Review from 2015 to 2021. In Proceedings of the International Conference on Human-Computer Interaction, Online, 26 June–1 July 2022; pp. 261–276.
  67. Woods, N.; Siponen, M. Too Many Passwords? How Understanding Our Memory Can Increase Password Memorability. Int. J. Hum.-Comput. Stud. 2018, 111, 36–48.
  68. Al Galib, A.; Safavi-Naini, R. User Authentication Using Human Cognitive Abilities. In Proceedings of the International Conference on Financial Cryptography and Data Security, San Juan, Puerto Rico, 26–30 January 2015; pp. 254–271.
  69. Wasfi, H.; Stone, R.; Genschel, U. Word-Pattern: Enhancement of Usability and Security of User-Chosen Recognition Textual Password. Int. J. Adv. Comput. Sci. Appl. 2024, 15, 30–37.
  70. Chiasson, S.; Stobert, E.; van Oorschot, P.C.; et al. Multiple Password Interference in Text Passwords and Click-Based Graphical Passwords. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; pp. 500–511.
  71. Weinshall, D. Passwords You'll Never Forget, but Can't Recall. In Proceedings of the CHI EA '04: CHI '04 Extended Abstracts on Human Factors in Computing Systems, Vienna Austria, 24–29 April 2004; pp. 1399–1402.
  72. Camp, L.J.; Abbott, J.; Chen, S.; et al. Cpasswords: Leveraging Episodic Memory and Human-Centered Design for Better Authentication. In Proceedings of the 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 5–8 January 2016; pp. 3656–3665.
  73. Li, B.; Zhou, Q.; Cao, Y.; et al. Cognitively Reconfigurable Mimic-Based Heterogeneous Password Recovery System. Comput. Secur. 2022, 116, 102667.
  74. Shuart, L.H.; Engelhaupt, D.M.; Jankowski, S.E.; et al. Cognitive-Based Logon Process for Computing Device. U.S. Pat. Appl. US 20110162067A1, 15 December 2010.
  75. Woods, N.; Siponen, M. Improving Password Memorability, While Not Inconveniencing the User. Int. J. Hum.-Comput. Stud. 2019, 128, 61–71.
  76. Haque, S.T.; Al-Ameen, M.N.; Wright, M.; et al. Learning System-Assigned Passwords (Up to 56 Bits) in a Single Registration Session with the Methods of Cognitive Psychology. In Proceedings of the Network and Distributed System Security Symposium (NDSS 2017), San Diego, CA, USA, 26 February–1 March 2017.
  77. Ogiela, M.R.; Ogiela, L. Cognitive Personal Security Systems. In Proceedings of the 13th International Conference on Complex, Intelligent, and Software Intensive Systems (CISIS-2019), Sydney, Australia, 3–5 July 2019; pp. 87–90.
  78. McEvoy, P.; Still, J.D. Contextualizing Mnemonic Phrase Passwords. In Proceedings of the AHFE 2016 International Conference on Human Factors in Cybersecurity, Orlando, FL, USA, July 27–31 2016; pp. 295–304.
  79. Lahza, H.; Alsamani, B. Behavioral Cybersecurity: Dynamic Persuasive Strategies to Enhance Password Security. In Proceedings of the 2024 7th International Conference of Computer and Informatics Engineering (IC2IE), Bali, Indonesia, 12–13 September 2024; pp. 1–9.
  80. Huang, D.; Pal, D.; 2023. PAAI: Password Authentication Using AI. In Proceedings of the 2023 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE), Nadi, Fiji, 4–6 December 2023; pp. 1–7.
  81. Beck, Z.; Crooks, A.; Rabbi, M.F.; et al. Password Security in Practice: An Appraisal Using Users’ Perception and Machine Learning. In Proceedings of the International Conference on Information Technology–New Generations, Las Vegas, NV, USA, 13–16 April 2025; pp. 13–24.
  82. Campbell, J.; Ma, W.; Kleeman, D. Impact of Restrictive Composition Policy on User Password Choices. Behav. Inf. Technol. 2011, 30, 379–388.