From the Quest to Replace Passwords towards Supporting Secure and Usable Password Creation

Abstract

Authentication is an important measure for protecting personal and sensitive information from unauthorised access. Password authentication still is the most widely used form of authentication despite its well-established downsides, including the cognitive load it poses for users and coping strategies resulting thereof. These include the creation of weak passwords or the reuse of passwords across accounts. Alternatives to the knowledge-based password scheme include biometric schemes, such as fingerprint authentication and token-based schemes like chip card authentication. However, attempts to replace the password on a large scale have not yet been successful. Commencing this research with an extensive rating and comparison of objective features of existing authentication schemes confirmed that the password indeed is not easily replaceable. To shine light on this seemingly intractable issue, a laboratory and an online study were conducted to explore the user perceptions of authentication schemes. Although studied less frequently than technical aspects, user perceptions are highly relevant. First, they can influence acceptance of authentication schemes, and second, mismatches between technical security and security perceptions can ultimately impact security. The two studies revealed a user preference for password authentication across different contexts of use, despite its downsides. While the initial comparison acknowledged the password’s persistence with regard to objective features, the studies confirm the relevance of password authentication from a user perspective. Because the security of password authentication largely depends on the password creation and handling of the user, further research was needed to explore measures that support secure and usable password authentication. A promising approach for encouraging secure choices without constraining the user is provided by the concept of ”nudging”, as proposed by Thaler and Sunstein. Nudges are small tweaks of the choice architecture that target automatic cognitive processes and that do not limit or significantly influence the cost of the available choices. To support secure password creation, three consecutive field studies analysed the impact of various password nudges on password creation. The first two studies used visual nudges intended to simply encourage stronger passwords and produced insignificant results. Based on the lessons learned, the resulting intervention in the third study combined a nudge with password strength information and compensation for stronger passwords in the form of later password expiry. This intervention indeed encouraged the creation of stronger passwords. The finding led to the assumption that the combination of a nudge and information provision, a hybrid nudge, may be more effective in encouraging secure choices than either intervention on its own. An online study analysed the single and joint effects of nudges and information provision across different securityrelated decisions including password creation. The findings revealed that the hybrid nudge proved to be most effective across decisions. Furthermore, the combination of transparent nudges with information provision educating users about the reasons for encouraging a particular choice appeared most favourable with regard to ethical considerations. A final online study compared the effects of different hybrid password nudges on password creation, password memorability, and the users’ perceptions. It confirmed the effectiveness of the hybrid nudge as compared to exclusive information or nudge interventions on all three counts. Yet, nearly no significant differences between hybrid password nudges emerged, indicating that the type of nudge included plays a minor role compared to the combination as such. It is concluded that the combination of nudging and information provision constitutes a promising strategy for supporting users in creating secure passwords and in making security-related decisions without enforcing a particular choice. This may further open the path towards a more human-centred approach in cybersecurity as envisioned in a mindset labelled ”Cybersecurity, Differently”. The findings are discussed regarding the transferability of the results to real-life settings and their scalability to the large number of accounts users have to manage. Suggestions for future work include field studies on hybrid password nudges, the integration into suitable tools such as password managers to ease the cognitive load, or the development of concepts that especially consider aspects such as account sensitivity or password reuse.