Abstract or Summary:
Despite the pervasiveness of passwords and the importance placed on them as an authentication mechanism, users continue to create weak passwords. Explanations for this behavior range from laziness to lack of education to the rational rejection of security advice. This paper contributes concrete evidence about the effects on password strength of specific conditions, including monetary incentives, priming, strength meters, demographics, and other factors.

In laboratory experiments on Mechanical Turk, we found that the most significant predictor of a strong password was the time spent creating it. Furthermore, we present evidence that, under certain conditions, artificially increasing the amount of time spent on password creation — for example, by asking users to wait on the password creation screen — results in stronger passwords.

In empirical data and survey results, we also found evidence that users make calculated decisions based on the perceived value of creating more or less secure passwords. Additionally, we provide the results of quantifying the costs of better passwords through variables such as recall, willpower, and cognitive effort.