+1 Recommend
1 collections
      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      Simple Nudges for Better Password Creation

      a , b , a , a , b
      Proceedings of the 32nd International BCS Human Computer Interaction Conference (HCI)
      Human Computer Interaction Conference
      4 - 6 July 2018
      User Authentication, Passwords, Nudges


            Recent security breaches have highlighted the consequences of reusing passwords across online accounts. Recent guidance on password policies by the UK government recommend an emphasis on password length over an extended character set for generating secure but memorable passwords without cognitive overload. This paper explores the role of three nudges in creating website-specific passwords: financial incentive (present vs absent), length instruction (long password vs no instruction) and stimulus (picture present vs not present). Mechanical Turk workers were asked to create a password in one of these conditions and the resulting passwords were evaluated based on character length, resistance to automated guessing attacks, and time taken to create the password. We found that users created longer passwords when asked to do so or when given a financial incentive and these longer passwords were harder to guess than passwords created with no instruction. Using a picture nudge to support password creation did not lead to passwords that were either longer or more resistant to attacks but did lead to account-specific passwords.


            Author and article information

            July 2018
            July 2018
            : 1-12
            [a ] PaCT Lab, Northumbria University, Newcastle, UK
            [b ] Open Lab, Newcastle University, Newcastle, UK
            © Nicholsona et al. Published by BCS Learning and Development Ltd. Proceedings of British HCI 2018. Belfast, UK.

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            Proceedings of the 32nd International BCS Human Computer Interaction Conference
            Belfast, UK
            4 - 6 July 2018
            Electronic Workshops in Computing (eWiC)
            Human Computer Interaction Conference
            Product Information: 1477-9358BCS Learning & Development
            Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/HCI2018.46
            Self URI (journal page): https://ewic.bcs.org/
            Electronic Workshops in Computing

            Applied computer science,Computer science,Security & Cryptology,Graphics & Multimedia design,General computer science,Human-computer-interaction
            Passwords,User Authentication,Nudges


            1. 2016 Nudges for Privacy and Security: Understanding and Assisting Userss Choices Online ACM Computing Surveys (CSUR) 50 3)44 http://doi.org/10.2139/ssrn.2859227

            2. 2002 VIP: a visual approach to user authentication In Avi, Acm 316 323 http://doi.org/10.1145/1556262.1556312

            3. 2015 Unpacking security policy compliance?: The motivators and barriers of employees ‟ security behaviors In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015) 103 122

            4. 2010 The password thicket: technical and market failures in human authentication on the web Information Security 8 230 237 http://doi.org/

            5. 2010 The password thicket?: technical and market failures in human authentication on the web In The Ninth Workshop on the Economics of Information Security 1 49

            6. 2009 If someone is watching, I‟ll do what I‟m asked: mandatoriness, control, and information security European Journal of Information Systems 18 2 151 164 http://doi.org/10.1057/ejis.2009.8

            7. 2008 Influencing users towards better passwords: Persuasive Cued Click-Points In In Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction 121 130)Retrieved from http://dl.acm.org/citation.cfm?id=1531514.1531531

            8. 2000 Deja vu: A User Study Using Images for Authentication In In Proceedings of the 9th USENIX Security Symposium, Denver, CO: Usenix 2000 45 58)Retrieved from http://portal.acm.org/citation.cfm?id=1251306.1251310

            9. 2008 Securing Passfaces for Description In In Proceedings of 4th symposium on Usable privacy and security 24 35

            10. 2012 On automated image choice for secure and usable graphical passwords In Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC ’12 99 108) http://doi.org/10.1145/2420950.2420965

            11. 2007 Do background images improve “draw a secret” graphical passwords? In In Proceedings of the 14th ACM conference on Computer and communications security - CCS ’07 36 http://doi.org/10.1145/1315245.1315252

            12. 2013 Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 2379 2388 http://doi.org/10.1145/2470654.2481329

            13. 2014 An Administrator‟s Guide to Internet Password Research Proceedings of USENIX LISA’14 18

            14. 2008 Improving Text Passwords Through Persuasion In Proceedings of the 4th Symposium on Usable Privacy and Security 1 12 New York, New York, USA ACM Press http://doi.org/10.1145/1408664.1408666

            15. 2006 Password management strategies for online accounts In Proceedings of the second symposium on Usable privacy and security - SOUPS ’06 44 New York, New York, USA ACM Press http://doi.org/10.1145/1143120.1143127

            16. Government Communications Headquarters 2015 Simplifying Your Approach: Password Guidance. Retrieved from http://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

            17. 2011 Using and managing multiple passwords: A week to a view Interacting with Computers 23 3 256 267 http://doi.org/10.1016/j.intcom.2011.03.007

            18. 2011 What makes an image memorable? In Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition 145 152 http://doi.org/10.1109/CVPR.2011.5995721

            19. 2004 The domino effect of password reuse Communications of the ACM 47 4 75 78 http://doi.org/10.1145/975817.975820

            20. 2009 Personal choice and challenge questions: a security and usability assessment In In Proceedings of SOUPS 2009 Retrieved from http://dl.acm.org/citation.cfm?id=1572543

            21. 2011 Of Passwords and People: Measuring the Effect of Password-Composition Policies Proceedings of the 2011 Annual Conference on Human Factors in Computing Systems - CHI ’11 2595 http://doi.org/10.1145/1978942.1979321

            22. 2015 Nearly 7 million Dropbox passwords have been hacked Retrieved February 11 2015, from http://www.businessinsider.com/dropob-hacked-2014-10?IR=T

            23. 1983 Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change Journal of Experimental Social Psychology 19 5 469 479 http://doi.org/10.1016/0022-103183)90023-9

            24. 2009 Financial incentives and the performance of crowds Proceedings of the ACM SIGKDD Workshop on Human Computation 11 2 77 85 http://doi.org/10.1145/1809400.1809422

            25. 2010 Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords Computers in Human Behavior 26 4 705 715 http://doi.org/10.1016/j.chb.2010.01.007

            26. 2015 Statement from Avid Life Media Inc. Retrieved May 10, 2016, from http://www.prnewswire.com/news-releases/statement-from-avid-life-media-inc-300115394.html

            27. 2012 Faces and Pictures: Understanding age differences in two types of graphical authentications International Journal of Human-Computer Studies 71 10 958 966

            28. 2013 Age-related Performance Issues for PIN and Face-based Authentication Systems In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 323 332 http://doi.org/10.1145/2470654.2470701

            29. 2017 Can We Fight Social Engineering Attacks By Social Means? Assessing Social Salience as a Means to Improve Phish Detection In In Proceedings of SOUPS 2017 Retrieved from http://www.usenix.org/conference/soups2017/technical-sessions/presentation/nicholson

            30. 2013 2 Million Facebook, Gmail, and Twitter passwords stolen in massive hack Retrieved February 6, 2014, from http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/

            31. 2015 LinkedIn confirms account passwords hacked

            32. 2010 Pictures or questions? Examining user responses to association-based authentication In In Proceedings of HCI 2010

            33. 2008 Password cueing with cue(ink)blots In IADIS Computer Graphics and Visualization 74 81

            34. 2014 Can long passwords be secure and usable? In Proceedings of the 32nd annual ACM conference on Human factors in computing systems - CHI ’14 2927 2936 New York, New York, USA ACM Press http://doi.org/10.1145/2556288.2557377

            35. (2012a)Correct Horse Battery Staple In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ’12) 1 20 http://doi.org/10.1145/2335356.2335366

            36. 2010 Encountering Stronger Password Requirements?: User Attitudes and Behaviors Categories and Subject Descriptors In In Proceedings of the Sixth Symposium on Usable Privacy and Security

            37. (2012b)Correct horse battery staple: Exploring the usability of system-assigned passphrases In In Proceedings of SOUPS 2012 Retrieved from http://dl.acm.org/citation.cfm?id=2335366

            38. 2004 Inkblot Authentication MSR-TR-2004-85 Retrieved from http://research.microsoft.com/pubs/70086/tr-2004-85.pdf

            39. 2015 Nudging towards security In Proceedings of the 2015 British HCI Conference on - British HCI ’15 193 201 New York, New York, USA ACM Press http://doi.org/10.1145/2783446.2783588

            40. 2012 How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation Blase In Proceedings of the 21st USENIX conference on Security symposium 5 16 Retrieved from http://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final209.pdf

            41. 2015 “I Added „!‟ at the End to Make It Secure Observing Password Creation in the Lab.In Proceedings of the eleventh Symposium On Usable Privacy and Security 123 140

            42. 2010 Purely Automated Attacks on PassPoints-Style Graphical Passwords IEEE Transactions on Information Forensics and Security 5 3 393 405 http://doi.org/10.1109/TIFS.2010.2053706

            43. 2014 Rockyou hack exposes names, passwords of 30m accounts Retrieved February 6 2014, from http://www.computerworld.com/article/2522045/security0/rockyou-hack-exposes-names--passwords-of-30m-accounts.html

            44. 2010 Testing metrics for password creation policies by attacking large sets of revealed passwords In In Proceedings of CCS 2010 162 175 Retrieved from http://dl.acm.org/citation.cfm?id=1866327

            45. 2000 The memorability and security of passwords - some empirical results Computer

            46. 2014 Anonymous leaked a massive list of passwords and credit card numbers Retrieved February 11, 2015, from http://techcrunch.com/2014/12/27/anonymous-leaked-a-massive-list-of-passwords-and-credit-card-numbers/


            Comment on this article