Researchers might have discovered a simple way to get more computer users to opt for strong passwords – tell them how easy their weak choices would be to hack.
The idea comes from research conducted by a team led by the University of Plymouth’s Centre for Security, Communications and Network Research (CSCAN), which tested the effectiveness of password advice strategies through two experiments.
In the first, 300 users creating a website account were offered either no password advice at all or were aided by a password meter, emotive feedback message or emoji.
The latter prompts improved matters a lot: password choices rated as “weak” dropped from 75% for the group offered no guidance, to a third for those given the emotive feedback.
In a second experiment, 500 users in the US were told how quickly a hacker might crack their password choice, causing them to choose passwords that were longer and up to ten times as strong as a result.
This points to a curious effect: the way you tell people what they’re doing wrong can be as important as the fact you’re telling them at all.
Or, if you like, the abstract rating of a password meter isn’t likely to be as effective at changing human behaviour as an alarming message telling people their hopeless password is going to make like easy for criminals.
Ideally, sites shouldn’t allow users to create weak passwords in the first place, regardless of whether advice on their weakness is offered or not.
Last year a study by Dashlane found that numerous big web brands are astonishingly lax on this score, with some imposing apparently-sensible eight-character limits without also disallowing these from simply being a single character repeated eight times (‘11111111’).
But even sites that already have tight policies in place might be able to boost password security further by giving users strongly-worded feedback.
Study co-author, Professor Steve Furnell:
A common weakness in the provision of security is that while relevant features are present and available to be employed, users are often expected to use them with little upfront guidance, or ongoing support.
It’s as if some sites are reluctant to be too insistent about password strength in case they put users off. If so, adding emotional cues could be a way to overcome this.
It’s also true that even the best-crafted password counts for nothing if it has already been compromised.
On that front, Troy Hunt’s Have I Been Pwned (HIBP) site recently launched version two of Pwned Passwords which allows anyone to check a password to see whether it’s on the compromised naughty step – using one that turns up here would be a major security risk.
Or perhaps passwords are one of those insoluble conundrums and admins should focus instead on layering security using password throttling (limiting incorrect guesses), making sure password reset systems aren’t a backdoor, and enforcing multi-factor authentication.
For anyone who believes there is always a right way and a wrong way to make a password, feel free to read our password advice.