Article Preview
TopIntroduction
Passwords are a part of everyday life for most individuals. Whether using software at work or home, passwords are frequently used to secure digital resources with the critical assumption that strong passwords will decrease the likelihood of those resources being compromised. Despite a common outcry that passwords are an ineffective means of protecting identity (Herley, van Oorschot, & Patrick, 2009), there is a strong focus within the current application design paradigm to build systems that rely on users creating and maintaining passwords. The primary means of encouraging strong passwords is to utilize formal controls during the password creation process – e.g., requiring the use of specific password characteristics (e.g., # of characters, inclusion of specific types of characters, preventing the use of previous passwords, etc.) before allowing a password to be saved. Implementing formal controls during the password creation process seems appropriate given past evidence about the types of passwords that individuals often utilize. A recent examination of 32 million passwords that were stolen from RockYou, an organization that designs social media games, found that user passwords frequently violated the site’s password recommendations. The most common password being used on the site at the time of the password breach in December, 2009, was ‘123456’ (The Imperva Application Defense Center, 2010). This finding gives credence to the use of formal controls as a means of encouraging strong password selection. Indeed, formal controls have become the de facto standard for ensuring that end users comply with strong password requirements.
Of utmost concern is the suggestion that while formal controls force an individual to utilize specific password characteristics, they might not encourage effective security minded behavior. This is especially concerning since formal password enforcement mechanisms place a considerable burden on end users, often producing less than optimal security behaviors (Herley, 2009). For example, individuals on average own 25 different passwords (Florencio & Herley, 2007), most of which are required to be strong. While the within application password creation process can force the individual to create a password with specific characteristics, individuals are incented to ‘game the system’ across applications as a means of reducing overall complexity (e.g., utilizing a common password across multiple sites). By forcing password policy compliance without addressing an individual’s underlying motivation, there is a potential for deviant behavior that can nullify or harm the positive effects of requiring strong passwords. In other words, failing to encourage the ‘why’ in strong password creation can encourage individuals to take shortcuts that detract from the rationale behind strong password use.
As such, the use of formal controls must be evaluated based on their actual effectiveness in the password creation process. If formal controls do not offer a clear advantage over informal controls in creating a strong password, then any disadvantages associated with utilizing behavior controls could make its exclusive use prohibitive. The present study seeks to address the degree to which different control techniques are effective during the password creation process. Specifically, this research examines whether behavior controls frequently used during the password creation process actually result in passwords that are strong above less utilized informal control techniques (e.g., self and clan). If there is not a meaningful difference in password strength, then a de facto reliance on behavior controls should be reconsidered.
The paper proceeds as follows. First, the use of different control types during the password creation process will be discussed, with a specific focus on the most common types of implemented control techniques. To properly frame this discussion, control theory will be discussed as a means of understanding the expected impact of various control mechanisms on password creation behavior. Research hypotheses are then tested and results discussed. The paper concludes by discussing implications, limitations, and future directions.