Learning from Authoritative Security Experiment Results

The 2017 LASER Workshop

Lessons Learned from Evaluating Eight Password Nudges in the Wild

Karen Renaud, Verena Zimmermann, Joseph Maguire, and Steve Draper

Abertay University, Technische Universit¨at Darmstadt, and University of Glasgow

Abstract

Background. The tension between security and convenience, when creating passwords, is well established. It is a tension that often leads users to create poor passwords. For security designers, three mitigation strategies exist: issuing passwords, mandating minimum strength levels or encouraging better passwords. The first strategy prompts recording, the second reuse, but the third merits further investigation. It seemed promising to explore whether users could be subtly nudged towards stronger passwords.

Aim.The aim of the study was to investigate the influence of visual nudges on self-chosen password length and/or strength.

Method. A university application, enabling students to check course dates and review grades, was used to support two consecutive empirical studies over the course of two academic years. In total, 497 and 776 participants, respectively, were randomly assigned either to a control or an experimental group. Whereas the control group received no intervention, the experimental groups were presented with different visual nudges on the registration page of the web application whenever passwords were created. The password strength and the password length of the experimental groups was then compared to the control group.

Results. No impact of the visual nudges could be detected, either in terms of password strength nor password length. The ordinal score metric used to calculate password strength led to a decrease in variance and test power, so that the inability to detect an effect size does not imply that such an effect does not exist.

Conclusion. We cannot conclude that the nudges had no effect on password strength. It might well be that an actual effect was not detected due to the experimental design choices. Another possible explanation for our result is that password choice is influenced by the user’s task, cognitive budget, goals and pre-existing routines. A simple visual nudge might not have the power to overcome these forces. Our lessons learned therefore recommend the use of a richer password strength quantification measure, and the acknowledgement of the user’s context, in future studies.

Important Dates

04/18 Call for Papers
07/15 Submissions Due
09/01 Authors Notified
09/11 Registration Open
          Accepting Student Grant Apps
09/15 Program Announced
09/29 Student Grant Application Deadline
09/22
Hotel reservation deadline
09/29 Pre-workshop papers due
*** EXTENDED ONE WEEK
10/07 Early Bird Registration Closes
*** EXTENDED ONE WEEK
10/18-10/19 Workshop
11/22 Final Papers Due

Apply for student travel grant LASER Venue

Important Links

LASER Workshop Home

Past Workshops

LASER Mailing List

Further Information

If you have questions or comments about LASER, or if you would like additional information about the workshop, contact us at: info@laser-workshop.org.

Join the LASER mailing list to stay informed of LASER news.