research-article

Open access

A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior

Authors:

Nicolas Christin,

Lorrie Faith Cranor,

Saranga Komanduri,

Michelle L. Mazurek,

William Melicher,

Sean M. Segreti,

Blase UrAuthors Info & Claims

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

Pages 2903 - 2912

https://doi.org/10.1145/2702123.2702586

Published: 18 April 2015 Publication History

Abstract

Users often struggle to create passwords under strict requirements. To make this process easier, some providers present real-time feedback during password creation, indicating which requirements are not yet met. Other providers guide users through a multi-step password-creation process. Our 6,435-participant online study examines how feedback and guidance affect password security and usability. We find that real-time password-creation feedback can help users create strong passwords with fewer errors. We also find that although guiding participants through a three-step password-creation process can make creation easier, it may result in weaker passwords. Our results suggest that service providers should present password requirements with feedback to increase usability. However, the presentation of feedback and guidance must be carefully considered, since identical requirements can have different security and usability effects depending on presentation.

References

[1]

Brantz, T., and Franz, A. The Google Web 1T 5-gram corpus. Tech. Rep. LDC2006T13, Linguistic Data Consortium, 2006.

[2]

Chiasson, S., Forget, A., Stobert, E., Biddle, R., and P.C. van Oorschot. Multiple password interference in text and click-based graphical passwords. In CCS (2009).

Digital Library

[3]

Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven?: The impact of password meters on password selection. In CHI (2013).

Digital Library

[4]

Fahl, S., Harbach, M., Acar, Y., and Smith, M. On the ecological validity of a password study. In SOUPS (2013).

Digital Library

[5]

Forget, A., Chiasson, S., van Oorschot, P. C., and Biddle, R. Improving text passwords through persuasion. In SOUPS (2008).

Digital Library

[6]

Furnell, S. An assessment of website password practices. Computers & Security 26, 7 (2007), 445--451.

Digital Library

[7]

Furnell, S. Assessing password guidance and enforcement on leading websites. Computer Fraud & Security 2011, 12 (2011), 10--18.

[8]

Furnell, S., and Bär, N. Essential lessons still not learned? Examining the password practices of end-users and service providers. In Human Aspects of Information Security, Privacy, and Trust (2013), 217--225.

[9]

Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE SP (2012).

Digital Library

[10]

Kerby, D. S. The simple difference formula: An approach to teaching nonparametric correlation. In Innovative Teaching. 2014.

[11]

Mazurek, M. L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., Kelley, P. G., Shay, R., and Ur, B. Measuring password guessability for an entire university. In CCS (2013).

Digital Library

[12]

Moshfeghian, S., and Ryu, Y. S. A passport to password best practices. Ergonomics in Design: The Quarterly of Human Factors Applications 20, 2 (2012), 23--29.

[13]

Schneier, B. Myspace passwords aren't so dumb. http://www.wired.com/politics/security/ commentary/securitymatters/2006/12/72300, 2006.

[14]

Shay, R., Ion, I., Reeder, R. W., and Consolvo, S. "My religious aunt asked why I was trying to sell her viagra": Experiences with account hijacking. In CHI (2014).

Digital Library

[15]

Shay, R., Komanduri, S., Durity, A. L., Huh, P. S., Mazurek, M. L., Segreti, S. M., Ur, B., Bauer, L., Christin, N., and Cranor, L. F. Can long passwords be secure and usable? In CHI (2014).

Digital Library

[16]

Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: user attitudes and behaviors. In SOUPS (2010).

Digital Library

[17]

Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? The effect of strength meters on password creation. In USENIX Security (2012).

Digital Library

[18]

Vance, A. If your password is 123456, just make it HackMe. The New York Times, http://www.nytimes. com/2010/01/21/technology/21password.html, January 2010.

[19]

Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In CCS (2010).

Digital Library

[20]

Weir, M., Aggarwal, S., de Medeiros, B., and Glodek, B. Password cracking using probabilistic context-free grammars. In IEEE SP (2009).

Digital Library

Cited By

Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Sahin SRoomi SPoteat TLi F(2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179288
Lee KSjöberg SNarayanan AChiasson SKapadia A(2022)Password policies of most top websites fail to follow best practicesProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563639(561-580)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563639
Show More Cited By

Index Terms

A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Designing Password Policies for Strength and Usability

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Can long passwords be secure and usable?
CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has ...
Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems

Recent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '15: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems

April 2015

4290 pages

ISBN:9781450331456

DOI:10.1145/2702123

General Chairs:
Bo Begole
Huawei, USA
,
Jinwoo Kim
Yonsei University, Korea
,
Program Chairs:
Kori Inkpen
Microsoft Research, USA
,
Woontack Woo
KAIST, Korea

Copyright © 2015 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 April 2015

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF
Microsoft Research

Conference

CHI '15

Sponsor:

SIGCHI

CHI '15: CHI Conference on Human Factors in Computing Systems

April 18 - 23, 2015

Seoul, Republic of Korea

Acceptance Rates

CHI '15 Paper Acceptance Rate 486 of 2,120 submissions, 23%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
1,443
Total Downloads

Downloads (Last 12 months)135
Downloads (Last 6 weeks)26

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Constantinides ABelk MFidas CBeumers RVidal DHuang WBowles JWebber TSilvina APitsillides A(2023)Security and Usability of a Personalized User Authentication Paradigm: Insights from a Longitudinal Study with Three Healthcare OrganizationsACM Transactions on Computing for Healthcare10.1145/35646104:1(1-40)Online publication date: 27-Feb-2023
https://dl.acm.org/doi/10.1145/3564610
Sahin SRoomi SPoteat TLi F(2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179288
Lee KSjöberg SNarayanan AChiasson SKapadia A(2022)Password policies of most top websites fail to follow best practicesProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563639(561-580)Online publication date: 8-Aug-2022
https://dl.acm.org/doi/10.5555/3563609.3563639
Wu XMunyendo CCosic EFlynn GLegault OAviv A(2022)User Perceptions of Five-Word PasswordsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567981(605-618)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567981
Woods NSilvennoinen J(2022)Enhancing the user authentication process with colour memory cuesBehaviour & Information Technology10.1080/0144929X.2022.209147442:10(1548-1567)Online publication date: 15-Jul-2022
https://doi.org/10.1080/0144929X.2022.2091474
Zimmermann VMarky KRenaud K(2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
https://doi.org/10.1080/0144929X.2022.2042384
Singh ATiwari VNaidu ATentu ARaju KSaxena A(2022)Analysis of Password Protected Documents Using Statistical Approaches on High Performance ComputingAdvances in Micro-Electronics, Embedded Systems and IoT10.1007/978-981-16-8550-7_51(533-545)Online publication date: 23-Apr-2022
https://doi.org/10.1007/978-981-16-8550-7_51
Markert PBailey DGolla MDürmuth MAviv A(2021)On the Security of Smartphone Unlock PINsACM Transactions on Privacy and Security10.1145/347304024:4(1-36)Online publication date: 30-Sep-2021
https://dl.acm.org/doi/10.1145/3473040
Distler VFassl MHabib HKrombholz KLenzini GLallemand CCranor LKoenig V(2021)A Systematic Literature Review of Empirical Methods and Risk Representation in Usable Privacy and Security ResearchACM Transactions on Computer-Human Interaction10.1145/346984528:6(1-50)Online publication date: 23-Dec-2021
https://dl.acm.org/doi/10.1145/3469845
Abdrabou YShams AMantawy MAhmad Khan AKhamis MAlt FAbdelrahman Y(2021)GazeMeter: Exploring the Usage of Gaze Behaviour to Enhance Password AssessmentsACM Symposium on Eye Tracking Research and Applications10.1145/3448017.3457384(1-12)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448017.3457384
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents