The University Network

Simple Password Guidance Can Significantly Improve Account Security

A simple and effective way to make internet accounts more secure and harder to crack is by offering detailed support and guidance to technology users when creating account passwords, according to a joint study by researchers from the University of Plymouth in the UK, McGill University in Canada, and Purdue University.

The paper is published in Computers & Security.

The researchers found that users who received basic guidance, such as password meters, were up to 40 percent more likely to choose a secure password, and that users who were given specific information on how likely it would be for hackers to guess their passwords were up to 10 times more likely to change their original choices for a more secure password.

The study is crucial given the ever-increasing threat of cyber attacks and theft of personal information around the world. Even cryptocurrencies, which were introduced to make transactions faster and more secure, are being stolen.

In their study, the researchers conducted two different experiments and found that users are much more likely to make secure choices when they are given feedback while creating an account password.

In the first experiment, 300 users creating an internet account were offered either no guidance when making their password, or a range of support that included a standard password meter, emojis, or an emotive message telling them the strength of their chosen password. The researchers found the number of password choices rated “weak” decline significantly, falling from about 75 percent among users who received no support, to about one-third when users received guidance and feedback.

In the second experiment, the researchers gave 500 participants in the U.S. specific security-related suggestions, which included information on how likely it was that hackers could guess their password. These participants created passwords that were longer and up to 10 times more secure because they had a significant understanding of the risks involved when choosing a private account password.

“So many of the devices, systems and services that we value are still protected by nothing more than a password, and year after year we see the evidence that people are naturally poor at choosing them,” said Steve Furnell, lead author, professor of information security at the University of Plymouth, and director of the University Centre for Security, Communications and Network Research (CSCAN). “This doesn’t mean people can’t or won’t do it, but most are not going to do so by default. So we need to guide, support and nudge them in the right direction.”

As an additional part of the study, the researchers demonstrated that several leading internet sites, including Amazon, Facebook and Twitter, continue to permit weak password practice, such as allowing combinations of a user’s first and last names, a string of numbers such as “1234567890,” and even the word “password” itself.

Many of these sites continue to permit weak passwords, Furnell explained, because it makes it easier for users, and most users are unlikely to complain.

“The sites certainly should require better passwords, but whether they will or not is another matter,” he said. “Having looked at how several of the sites have evolved over the last 10 years, the progress is not massively encouraging.”

Since this lack of provision is apparent in market leading sites, it is unlikely that users are given the security information they should have, which could potentially explain why bad practices persist, Furnell said in a statement.

However, the study suggests that adding some sort of guidance or feedback on these sites is both an easy and effective way to promote account security.

“It really isn’t that difficult to promote the guidance,” said Furnell. “Our study found that even placing a simple list of advice points alongside the password selection box seemed to motivate better choices. And we did nothing to enforce the guidance; it was the mere presence that had an effect. All sites could do this, but many do little or nothing, and password choices consequently remain poor.”

The study suggests an important lesson for end-user security in general, Furnell explained, since the combination of providing feedback and enforcing these guidance tools allows users the chance to understand the importance of security from the first time they make a private account.