Prioritizing Security Over Usability: Strategies for How People Choose Passwords
by: Rick Wash and Emilee Rader
Passwords are one of the most common security technologies that people use ev- eryday. Choosing a new password is a security decision that can have important consequences for end users. Passwords can be long and complex, which prioritizes the security-focused aspects of a password. They can also be simple — easy to create, remember and use — which prioritizes the usability aspects of the password. The trade-off between password security versus usability represents competing constraints that shape password creation and use. We examined an ecologically valid dataset of 853 passwords entered a total of 2533 times by 134 users into 1010 websites, to test hypotheses about the impact of these constraints. We found evidence that choices about password complexity reflect an emphasis on security needs, but little support for the hypothesis that users take day-to-day ease of use of the password into account when creating it. There was also little evidence that password creation policies drive password choices.
Rick Wash and Emilee Rader. “Prioritizing Security Over Usability: Strategies for How People Choose Passwords” Journal of CyberSecurity.To Appear 2021.