Influencing user password choice through peer pressure

• Main Author: Sotirakopoulos, Andreas
• Language: English
• Published: University of British Columbia 2011
• Online Access: http://hdl.handle.net/2429/39480

Passwords are the main means of authenticating users in most systems today. However, they have been identified as a weak link to the overall security of many systems and much research has been done in order to enhance their security and usability. Although, many schemes have been proposed, users still find it challenging to keep up with password best practices. Our current work is based on recent research indicating that social navigation can be used to guide users to safer, more secure practices regarding computer security and privacy. Our goal is the evaluation of a novel concept for a proactive password checking mechanism that analyzes and presents to users, information about their peer's password strength. Our proposed proactive password feedback mechanism is an effort to guide users in creating better passwords by relating their password strength to that of other system users. We hypothesized that this would enable users to have a better understanding of their password's strength in regards to the system at hand and its users' expectations in terms of account security. We evaluated our mechanism with two between-subjects laboratory studies, embedding our proactive password checking scheme in the Campus Wide Login (CWL) mechanism for changing an account's password. In our study, we compared the password entropy of participants assigned to our proposed mechanism to this of participants assigned to the current CWL implementation (no feedback) as well as to the traditional horizontal bar, employed by many web sites, which provides feedback in the form of absolute password strength characterization. Our results revealed significant effect on improving password strength between our motivator and the control condition as well as between the group using the existing motivator and the control group. Although, we found a difference between the no feedback condition and the two feedback conditions, we did not find any difference between feedback conditions (i.e., relative vs. absolute strength assessment). However, our results show that relating password strength to that of one's peers, while maintaining the standard visual cues, may yield certain advantages over lack of feedback or current practices.