Abstract
Passwords, a first line of defense against unauthorized access, must be secure and memorable. However, people often struggle to create secure passwords they can recall. To address this problem, we design Password inspiration by e Xploring information (PiXi), a novel approach to nudge users towards creating secure passwords. PiXi is the first of its kind that employs a password creation nudge to support users in the task of generating a unique secure password themselves. PiXi prompts users to explore unusual information right before creating a password, to shake them out of their typical habits and thought processes, and to inspire them to create unique (and therefore stronger) passwords. PiXi’s design aims to create an engaging, interactive, and effective nudge to improve secure password creation. We conducted a user study (\(N=238\)) to compare the efficacy of PiXi to typical password creation. Our findings indicate that PiXi’s nudges do influence users’ password choices such that passwords are significantly longer and more secure (less predictable and guessable).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In our PiXi prototype configuration, there are around 6 million possible items (all categories); 20 items are randomly selected from the pool of possible items and shown to the user, for their selected category. However, the number of possible items could be configured to be much larger.
- 2.
The introduction video had some minor differences for users of PiXi-Hints: they have an additional sentence that advises them to select interesting and memorable keywords. This recommendation is provided to encourage users to remember their keywords as they will need to reuse PiXi to input them again before each login.
- 3.
These 193 participants chose an identical but uncommon password, possibly due to these accounts all controlled by one.
- 4.
We also study them by CKL_PSM–a password strength meter based on the chunk-level PCFG model (CKL_PCFG). However, the results were quantitatively and qualitatively very similar, thus we do not report them here due to space constraints.
References
Acquisti, A., et al.: Nudges for privacy and security: understanding and assisting users’ choices online. ACM Comput. Surv. (CSUR) 50(3), 1–41 (2017)
Bazerman, M.H., Gino, F.: Behavioral ethics: toward a deeper understanding of moral judgment and dishonesty. Ann. Rev. Law Soc. Sci. 8, 85–104 (2012)
Breman, A.: Give more tomorrow: two field experiments on altruism and intertemporal choice. J. Public Econ. 95(11–12), 1349–1357 (2011)
Brooke, J.: SUS: a quick and dirty usability scale. Usability Eval. Ind. 189, 189–194 (1995)
Brostoff, S., Sasse, M.A.: Are passfaces more usable than passwords? A field trial investigation. In: McDonald, S., Waern, Y., Cockton, G. (eds.) People and Computers XIV — Usability or Else!, pp. 405–424. Springer, London (2000). https://doi.org/10.1007/978-1-4471-0515-2_27
Cai, C.W.: Nudging the financial market? A review of the nudge theory. Account. Financ. 60(4), 3341–3365 (2020)
Caraban, A., Karapanos, E., Gonçalves, D., Campos, P.: 23 ways to nudge: a review of technology-mediated nudging in human-computer interaction (2019)
Chiasson, S., Stobert, E., Forget, A., Biddle, R., Van Oorschot, P.C.: Persuasive cued click-points: design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable Secure Comput. 9(2), 222–235 (2012)
Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical password authentication using cued click points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_24
Collier, C.A.: Nudge theory in information systems research a comprehensive systematic review of the literature. In: Academy of Management Proceedings, vol. 1, p. 18642 (2018)
Costa, D.L., Kahn, M.E.: Energy conservation “nudges’’ and environmentalist ideology: evidence from a randomized residential electricity field experiment. J. Eur. Econ. Assoc. 11(3), 680–702 (2013)
De Angeli, A., Coutts, M., Coventry, L., Johnson, G.I., Cameron, D., Fischer, M.H.: VIP: a visual approach to user authentication. In: Advanced Visual Interfaces (2002)
Dijksterhuis, A., Aarts, H., Bargh, J.A., Van Knippenberg, A.: On the relation between associative strength and automatic behavior. J. Exp. Soc. Psychol. 36(5), 531–544 (2000)
Dunphy, P., Yan, J.: Do background images improve “draw a secret” graphical passwords? In: ACM Computer and Communications Security (2007)
Florêncio, D., Herley, C., Van Oorschot, P.C.: Pushing on string: the “don’t care’’ region of password strength. Commun. ACM 59(11), 66–74 (2016)
Forget, A., Chiasson, S., van Oorschot, P.C., Biddle, R.: Improving text passwords through persuasion. In: Proceedings of the 4th Symposium on Usable Privacy and Security (2008)
Government of Canada: Password managers - get cyber safe. https://www.getcybersafe.gc.ca/en/secure-your-accounts/password-managers#defn-password. Accessed 30 Mar 2023
Houshmand, S., Aggarwal, S.: Building better passwords using probabilistic techniques. In: Annual Computer Security Applications (2012)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: USENIX Security Symposium (1999)
Johnson, E.J., Goldstein, D.: Do defaults save lives? (2003)
Katsini, C., Fidas, C., Raptis, G.E., Belk, M., Samaras, G., Avouris, N.: Influences of human cognition and visual behavior on password strength during picture password composition. In: The SIGCHI Conference on Human Factors in Computing Systems (CHI) (2018)
MacRae, B.A.: Strategies and applications for creating more memorable passwords. Master’s thesis, Ontario Tech University (2016)
Milkman, K.L., Beshears, J., Choi, J.J., Laibson, D., Madrian, B.C.: Using implementation intentions prompts to enhance influenza vaccination rates. Proc. Natl. Acad. Sci. 108(26), 10415–10420 (2011)
Parish, Z., Salehi-Abari, A., Thorpe, J.: A study on priming methods for graphical passwords. J. Inf. Secur. Appl. 62, 102913 (2021)
Peer, E., Egelman, S., Harbach, M., Malkin, N., Mathur, A., Frik, A.: Nudge me right: personalizing online security nudges to people’s decision-making styles. Comput. Hum. Behav. 109, 106347 (2020)
Schmidt, D., Jaeger, T.: Pitfalls in the automated strengthening of passwords. In: Annual Computer Security Applications (2013)
Thaler, R.H., Benartzi, S.: Save more tomorrow: using behavioral economics to increase employee saving. J. Polit. Econ. 112(S1), 164–187 (2004)
Thaler, R.H., Sunstein, C.R.: Nudge: improving decisions about health, wealth, and happiness (2009)
Thorpe, J., Al-Badawi, M., MacRae, B., Salehi-Abari, A.: The presentation effect on graphical passwords. In: The SIGCHI Conference on Human Factors in Computing Systems (CHI) (2014)
Thorpe, J., MacRae, B., Salehi-Abari, A.: Usability and security evaluation of GeoPass: a geographic location-password scheme. In: Proceedings of the Symposium on Usable Privacy and Security (2013)
Thorpe, J., van Oorschot, P.C.: Human-seeded attacks and exploiting hot-spots in graphical passwords. In: USENIX Security Symposium (2007)
Ur, B., et al.: Design and evaluation of a data-driven password meter. In: The SIGCHI Conference on Human Factors in Computing Systems (CHI) (2017)
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: USENIX Security Symposium (2012)
Ur, B., et al.: Measuring real-world accuracies and biases in modeling password guessability. In: USENIX Security Symposium (2015)
Wheeler, D.L.: ZXCVBN: low-budget password strength estimation. In: USENIX Security Symposium (2016)
Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum. Comput. Stud. 63, 102–127 (2005)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)
von Zezschwitz, E., et al.: On quantifying the effective password space of grid-based unlock gestures. In: Mobile and Ubiquitous Multimedia (2016)
Zibaei, S., Malapaya, D.R., Mercier, B., Salehi-Abari, A., Thorpe, J.: Do password managers nudge secure (random) passwords? In: Symposium on Usable Privacy and Security (2022)
Zimmermann, V., Renaud, K.: The nudge puzzle: matching nudge interventions to cybersecurity decisions. ACM Trans. Comput.-Hum. Interact. 28(1) (2021)
Acknowledgment
This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wang, S., Salehi-Abari, A., Thorpe, J. (2023). PiXi: Password Inspiration by Exploring Information. In: Wang, D., Yung, M., Liu, Z., Chen, X. (eds) Information and Communications Security. ICICS 2023. Lecture Notes in Computer Science, vol 14252. Springer, Singapore. https://doi.org/10.1007/978-981-99-7356-9_15
Download citation
DOI: https://doi.org/10.1007/978-981-99-7356-9_15
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7355-2
Online ISBN: 978-981-99-7356-9
eBook Packages: Computer ScienceComputer Science (R0)