Skip to main content Accessibility help
×
×
Home

Nudging folks towards stronger password choices: providing certainty is the key

  • KAREN RENAUD (a1) and VERENA ZIMMERMANN (a2)
  • Please note a correction has been issued for this article.

Abstract

Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations (i.e. ‘nudges’) have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here, we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords. We carried out three longitudinal studies to analyse the efficacy of a range of ‘nudges’ by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing ‘nudges’. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password and that it was this certainty that made the difference.

  • View HTML
    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      Nudging folks towards stronger password choices: providing certainty is the key
      Available formats
      ×

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      Nudging folks towards stronger password choices: providing certainty is the key
      Available formats
      ×

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      Nudging folks towards stronger password choices: providing certainty is the key
      Available formats
      ×

Copyright

Corresponding author

*Correspondence to: Karen Renaud, Cybersecurity Division, Abertay University, Dundee, UK. Email: k.renaud@abertay.ac.uk

References

Hide All
Almuhimedi, H., Schaub, F., Sadeh, N., Adjerid, I., Acquisti, A., Gluck, J., Cranor, L. F. and Agarwal, Y. (2015), ‘Your Location Has Been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging’, In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI ’15, 787–796, New York, NY, USA. ACM.
Balebako, R., Leon, P. G., Almuhimedi, H., Kelley, P. G., Mugan, J., Acquisti, A., Cranor, L. F. and Sadeh, N. (2011), ‘Nudging users towards privacy on mobile devices’, In Proc. CHI 2011 Workshop on Persuasion, Nudge, Influence and Coercion, 193–201, Vancouver, BC, Canada. ACM.
Bateson, M., Callow, L., Holmes, J. R., Roche, M. L. R. and Nettle, D. (2013), ‘Do images of ‘watching eyes’ induce behaviour that is more pro-social or more normative? A field experiment on littering’, Public Library of Science, 8(12): 19.
Benjamini, Y. and Hochberg, Y. (1995), ‘Controlling the false discovery rate: a practical and powerful approach to multiple testing’, Journal of the royal statistical society. Series B (Methodological), 289300.
Bonneau, J., Herley, C., Van Oorschot, P. C. and Stajano, F. (2012), ‘The quest to replace passwords: A framework for comparative evaluation of web authentication schemes’, In IEEE Symposium on Security and Privacy (SP), 2012, 553–567. IEEE.
Bonneau, J., Herley, C., Van Oorschot, P. C. and Stajano, F. (2015), ‘Passwords and the Evolution of Imperfect Authentication’, Communications of the ACM, 58(7): 7887.
Bonneau, J. and Preibusch, S. (2010), ‘The Password Thicket: Technical and Market Failures in Human Authentication on the Web’, In The Workshop on the Economics of Information Security, Harvard University, USA.
Brehm, S. S. and Brehm, J. W. (1981), A theory of psychological reactance. A Theory of Freedom and Control, New York: Academic Press.
Brewer, M. B. (2001), ‘Ingroup identification and intergroup conflict’, in Ashmore, R., Jussim, L. and Wilder, D. (eds.), Social identity, intergroup conflict, and conflict reduction, 1741. New York: Oxford University Press.
Castano, E., Yzerbyt, V., Paladino, M.-P. and Sacchi, S. (2002), ‘I belong, therefore, I exist: Ingroup identification, ingroup entitativity, and ingroup bias’, Personality and Social Psychology Bulletin, 28(2): 135143.
Childress, R., Goldberg, I., Lechtman, M. and Medini, Y. (2013). User policy manageable strength-based password aging. Patent https://www.google.com/patents/US8370925.
Choe, E. K., Jung, J., Lee, B. and Fisher, K. (2013), ‘Nudging people away from privacy-invasive mobile apps through visual framing. In IFIP Conference on Human-Computer Interaction, 74–91, Cape Town, South Africa. Springer.
Cialdini, R. B. and Trost, M. R. (1998), ‘Social influence: Social norms, conformity and compliance’, In Gilbert, D. T., Fiske, S. T., and Lindzey, G. (eds.), The handbook of social psychology, 4 edn. New York: McGraw-Hill, 151192.
Ciampa, M. (2013), ‘A comparison of password feedback mechanisms and their impact on password entropy’, Information Management & Computer Security, 21(5): 344359.
Cluley, G. (2012), ‘Prince William photos accidentally reveal RAF password’, 21 Nov. https://nakedsecurity.sophos.com/2012/11/21/prince-william-photos-password/
Crawford, J. (2013), ‘Assessing the Value of Formal Control Mechanisms on Strong Password Selection’, International Journal of Secure Software Engineering. (IJSSE) 4(3): 117.
de Carné de Carnavalet, X. (2014), A Large-Scale Evaluation of High-Impact Password Strength Meters, Ph.D. thesis, Concordia University.
Dell'Amico, M., Michiardi, P. and Roudier, Y. (2010). ‘Password strength: An empirical analysis’, In INFOCOM, 2010 Proceedings, 1–9, San Diego, CA. IEEE.
Dijksterhuis, A., Bargh, J. A. and Miedema, J. (2000), ‘Of men and mackerels: Attention, subjective experience, and automatic social behavior’, in Bless, H. and Forgas, J. (eds.), The message within: The role of subjective experience in social cognition and behavior, chap. 3, 3751. New York: Psychology Press.
Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K. and Herley, C. (2013), ‘Does my password go up to eleven? The impact of password meters on password selection’, In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2379–2388, Paris. ACM.
Greene, K. K., Kristen, K., Gallagher, M. A., Stanton, B. C. and Lee, P. Y. (2014), ‘I can't type that! p@$$w0rd entry on mobile devices’, In International Conference on Human Aspects of Information Security, Privacy, and Trust, 160–171, Heraklion, Crete. Springer.
Halpern, D. (2015), Inside the Nudge Unit: How small changes can make a big difference, London: WH Allen.
Hansen, P. G. (2015), ‘The definition of nudge and libertarian paternalism: Does the hand fit the glove?European Journal of Risk Regulation, (1) 120.
Hermans, D., Houwer, J. D. and Eelen, P., (1994), ‘The affective priming effect: Automatic activation of evaluative information in memory’, Cognition & Emotion, 8(6): 515533.
Hern, A. (2016), ‘Google aims to kill passwords by the end of this year’, https://www.theguardian.com/technology/2016/may/24/google-passwords-android Accessed 30 August 2017.
Hevner, A. and Chatterjee, S. (2010), ‘Design science research in information systems’, in Design research in information systems (pp. 922). US: Springer.
Jeske, D., Coventry, L., Briggs, P. and van Moorsel, A., (2014), ‘Nudging whom how: IT proficiency, impulse control and secure behaviour’, in CHI Workshop on Personalizing Behavior Change Technologies, CHI.
Jevons, W. S. (1879), The theory of political economy, Macmillan and Company.
Josiam, B. M. and Hobson, J. P., (1995), ‘Consumer choice in context: the decoy effect in travel and tourism’, Journal of Travel Research, 34(1): 4550.
Kahneman, D. (2003), ‘Maps of bounded rationality: Psychology for behavioral economics’, The American economic review, 93(5): 14491475.
Kahneman, D. (2011), Thinking, Fast and Slow, Farrar, Straus and Giroux.
Keith, M., Shao, B. and Steinbart, P., (2009), ‘A behavioral analysis of passphrase design and effectiveness’, Journal of the Association for Information Systems, 10(2): 2.
Kelman, M. (1979), ‘Choice and Utility’, Wisconson Law Review, 3: 769798.
Khern-am-nuai, W., Yang, W. and Li, N., (2016), ‘Using Context-Based Password Strength Meter to Nudge Users' Password Generating Behavior: A Randomized Experiment’, HICSS, Hawai'i.
Kool, W., McGuire, J. T., Rosen, Z. B. and Botvinick, M. M., (2010), ‘Decision making and the avoidance of cognitive demand’, Journal of Experimental Psychology: General, 139(4): 665.
Kritzinger, E. and von Solms, S. H. (2010), ‘Cyber security for home users: A new way of protection through awareness enforcement’, Computers & Security, 29(8): 840847.
Lench, H. C. and Ditto, P. H. (2008). ‘Automatic optimism: Biased use of base rate information for positive and negative events’, Journal of Experimental Social Psychology, 44(3): 631639.
Luck, M. and d'Inverno, M. (2002). ‘Constraining autonomy through norms’, In Proceedings of the first international joint conference on Autonomous agents and multiagent systems: part 2, 674–681, Bologna. ACM.
McGrath, E. (1995), ‘Methodology matters: Doing research in the behavioral and social sciences’, in Readings in Human-Computer Interaction: Toward the Year 2000 (2nd ed),
Misra, S. and Stokols, D. (2012), ‘Psychological and health outcomes of perceived information overload’, Environment and behavior, 44(6): 737759.
Newell, R. G. and Pizer, W. A., (2003), ‘Discounting the distant future: how much do uncertain rates increase valuations?’, Journal of Environmental Economics and Management, 46(1): 5271.
Oliver, A. (2011), ‘Is nudge an effective public health strategy to tackle obesity? Yes’, BMJ: British Medical Journal (Online) , 342.
Orazi, D. C. and Pizzetti, M. (2015), ‘Revisiting fear appeals: A structural re-inquiry of the protection motivation model’, International Journal of Research in Marketing, 32(2): 223225.
Pernice, K. (2015), ‘Help People Create Passwords That They Can Actually Remember’, https://www.nngroup.com/articles/passwords-memory/ Accessed 30 August, 2017.
Pijpers, G. (2010), Information overload: A system for better managing everyday data, Hoboken, NJ: John Wiley & Sons.
Rayner, G. and Lang, T. (2011), ‘Is nudge an effective public health strategy to tackle obesity? No’, BMJ: British Medical Journal (Online) , 342.
Renaud, K., Zimmermann, V., Maguire, J., and Draper, S. (2017), ‘Lessons Learned from Evaluating Eight Password Nudges in the Wild’, LASER Workshop, Arlington, 1819 October.
Rosenthal, R. and Jacobson, L. (1968), Pygmalion in the classroom: Teacher expectation and pupils' intellectual development, Holt, Rinehart & Winston.
Schaub, F., Deyhle, R. and Weber, M. (2012), ‘Password entry usability and shoulder surfing susceptibility on different smartphone platforms’, In Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia (MUM '12). ACM, New York, NY, USA, Article 13, 10 pages.
Schubert, C. (2017), ‘Green nudges: Do they work? Are they ethical?’, Ecological Economics, 132: 329342.
Seitz, T., von Zezschwitz, E., Meitner, S. and Hussmann, H. (2016), ‘Influencing Self-Selected Passwords Through Suggestions and the Decoy Effect’, In Proceedings of the 1st European Workshop on Usable Security. Internet Society, Darmstadt.
Selinger, E. and Whyte, K. P. (2012), ‘What counts as a nudge?’, The American Journal of Bioethics, 12(2): 1112.
Solove, D. J. and Hartzog, W. (2015), ‘Should the FTC kill the password?’, The case for better authentication. Bloomberg BNA Privacy & Security Law Report, 1353.
Sotirakopoulos, A. (2011), Influencing user password choice through peer pressure, Ph.D. thesis, The University Of British Columbia (Vancouver).
Stross, R. (2008), ‘Goodbye, Passwords. You Aren't a Good Defense’, http://www.nytimes.com/2008/08/10/technology/10digi.html Accessed: 30 August 2017.
Sunstein, C. R. (2016), ‘People prefer system 2 nudges (kind of)’, Duke Law Journal, 66: 121.
Sunstein, C. R. (2017), ‘Nudges that fail’, Behavioural Public Policy, 1(1): 425.
Tam, L., Glassman, M. and Vandenwauver, M. (2010), ‘The psychology of password management: a tradeoff between security and convenience’, Behaviour & Information Technology, 29(3): 233244.
Tari, F., Ozok, A. and Holden, S. H., 2006, July. ‘A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords’, In Proceedings of the second symposium on Usable privacy and security (pp. 56–66). ACM.
Thaler, R. H. and Sunstein, C. R. (2008), Nudge: Improving decisions about health, wealth, and happiness, Yale University Press.
Turland, J. K. (2016), Aiding information security decisions with human factors using quantitative and qualitative techniques, Ph.D. thesis, Psychology.
Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L. and Christin, N. (2012), ‘August. How does your password measure up? The effect of strength meters on password creation’, In USENIX Security Symposium (pp. 65–80).
Ur, B., Bees, J., Segreti, S. M., Bauer, L., Christin, N. and Cranor, L. F. (2016), Do Users' Perceptions of Password Security Match Reality?’ In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (pp. 3748–3760). ACM.
Ur, B., Noma, F., Bees, J., Segreti, S. M., Shay, R., Bauer, L., Christin, N. and Cranor, L. F. (2015), ‘“I added ‘!’at the end to make it secure”: Observing password creation in the lab’, In Proc. SOUPS.
Vance, A., Eargle, D., Ouimet, K. and Straub, D. (2013), ‘Enhancing password security through interactive fear appeals: A web-based field experiment’, In System Sciences (HICSS), 2013 46th Hawaii International Conference on (pp. 2988–2997). IEEE.
von Zezschwitz, E., Eiband, M., Buschek, D., Oberhuber, S., De Luca, A., Alt, F. and Hussmann, H. (2016), ‘December. On quantifying the effective password space of grid-based unlock gestures’, In Proceedings of the 15th International Conference on Mobile and Ubiquitous Multimedia (pp. 201–212). ACM.
Walters, G. R., International Business Machines Corporation (2007), Variable expiration of passwords. U.S. Patent 7,200,754.
Warkentin, M., Davis, K. and Bekkering, E. (2004), ‘Introducing the check-off password system (COPS): an advancement in user authentication methods and information security’, Journal of Organizational and End User Computing (JOEUC) , 16(3): 4158.
Wash, R., Rader, E., Berman, R. and Wellmer, Z. (2016), ‘Understanding password choices: How frequently entered passwords are re-used across websites’, In Symposium on Usable Privacy and Security (SOUPS).
Wheeler, D. L. (2016), ‘zxcvbn: Low-Budget Password Strength Estimation’, In USENIX Conference, Vancouver. USENIX.
Yevseyeva, I., Morisset, C. and van Moorsel, A. (2016), ‘Modeling and analysis of influence power for information security decisions’, Performance Evaluation, 98: 3651.
Zipf, G. K. (2016), Human behavior and the principle of least effort: An introduction to human ecology, Ravenio Books.
Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

Behavioural Public Policy
  • ISSN: 2398-063X
  • EISSN: 2398-0648
  • URL: /core/journals/behavioural-public-policy
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Metrics

Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed

A correction has been issued for this article: