Learning from Authoritative Security Experiment Results
An Empirical Investigation of Security Fatigue:
The Case of Password Choice after Solving a CAPTCHA
Kovila P.L. Coopamootoo, Thomas Groß, and M. Faizal R. Pratama
Newcastle University and University of Derby
Background. User fatigue or overwhelm in current security tasks has been called security fatigue by the research community [10, 23]. However, security fatigue can also impact subsequent tasks. For example, while the CAPTCHA is a widespread security measure that aims to separate humans from bots , it is also known to be difficult for humans . Yet, to-date it is not known how solving a CAPTCHA influences other subsequent tasks.
Aim. We investigate users’ password choice after a CAPTCHA challenge.
Method. We conduct a between-subject lab experiment. Three groups of 66 participants were each asked to generate a password. Two groups were given a CAPTCHA to solve prior to password choice, the third group was not. Password strength was measured and compared across groups.
Results. We found a significant difference in password strength across conditions, with p=:002, corresponding to a large effect size of f = :42. We found that solving a text- or picture-CAPTCHA results in significantly poorer password choice than not solving a CAPTCHA.
Conclusions. We contribute a first known empirical study investigating the impact of a CAPTCHA on password choice and of designing security tasks in a sequence. It raises questions on the usability, security fatigue and overall system security achieved when password choice follows another effortful task or is paired with a security task.