Using Context-Based Password Strength Meter to Nudge Users' Password Generating Behavior: A Randomized Experiment

Abstract

Encouraging users to create stronger passwords has always been one of the key issues in password-based authentication. It is particularly important as passwords are still the most common user authentication method. Furthermore, prior works have highlighted that most passwords are significantly weak. In this paper, we seek to mitigate such an issue by proposing a context-based password strength meter and investigating its effectiveness on users' password generating behavior. We conduct a randomized experiment on Amazon MTurk involving hypothetical account creating scenarios. We observe the change in users' behavior in terms of the number of occasions where users change their password after seeing the warning message, the number of occasions where users want to learn more about creating stronger passwords, and the changes in password strength. We find that our proposed password strength meter is significantly effective. Users exposed to our password strength meter are more likely to change their password, and those new passwords are stronger. Furthermore, if the information is readily available, users are willing to invest their time to learn about creating a stronger password, even in a traditional password strength meter setting. Our findings suggest that simply incorporating a contextual information to password strength meters could be one of potential methods in promoting secure behaviors among end users.