"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab
Date: July 2015
Publication: Proceedings of the 11th Symposium on Usable Privacy and Security, SOUPS '15
Source 1: https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ur.pdf
Source 2: http://www.ece.cmu.edu/~lbauer/papers/2015/soups2015-password-creation.pdf
Source 3: https://www.andrew.cmu.edu/user/nicolasc/publications/U+-SOUPS15.pdf
Abstract or Summary:
Users often make passwords that are easy for attackers to guess. Prior studies have documented features that lead to easily guessed passwords, but have not probed why users craft weak passwords. To understand the genesis of common password patterns and uncover average users’ misconceptions about password strength, we conducted a qualitative interview study. In our lab, 49 participants each created passwords for fictitious banking, email, and news website accounts while thinking aloud. We then interviewed them about their general strategies and inspirations. Most participants had a well-defined process for creating passwords. In some cases, participants consciously made weak passwords. In other cases, however, weak passwords resulted from misconceptions, such as the belief that adding “!” to the end of a password instantly makes it secure or that words that are difficult to spell are more secure than easy-to-spell words. Participants commonly anticipated only very targeted attacks, believing that using a birthday or name is secure if those data are not on Facebook. In contrast, some participants made secure passwords using unpredictable phrases or non-standard capitalization. Based on our data, we identify aspects of password creation ripe for improved guidance or automated intervention.
PasswordResearch.com Note: Additional unlisted authors: Nicolas Christin, Lorrie Faith Cranor
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.