Must I, can I? I don't understand your ambiguous password rules. (13th March 2017)
- Record Type:
- Journal Article
- Title:
- Must I, can I? I don't understand your ambiguous password rules. (13th March 2017)
- Main Title:
- Must I, can I? I don't understand your ambiguous password rules
- Authors:
- Greene, Kristen K.
Choong, Yee-Yin - Abstract:
- Abstract : Purpose: The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules. Design/methodology/approach: This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users' interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space. Findings: Results show that manipulating password rule terminology causes users' interpretation of the allowed character space to shrink or expand. Users are confused by the terms "non-alphanumeric", "symbols", "special characters" and "punctuation marks" in password rules. Additionally, users are confused by partial lists of allowed characters using "e.g." or "etc." Practical implications: This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity willAbstract : Purpose: The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules. Design/methodology/approach: This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users' interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space. Findings: Results show that manipulating password rule terminology causes users' interpretation of the allowed character space to shrink or expand. Users are confused by the terms "non-alphanumeric", "symbols", "special characters" and "punctuation marks" in password rules. Additionally, users are confused by partial lists of allowed characters using "e.g." or "etc." Practical implications: This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements. Originality/value: This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space. … (more)
- Is Part Of:
- Information and computer security. Volume 25:Number 1(2017)
- Journal:
- Information and computer security
- Issue:
- Volume 25:Number 1(2017)
- Issue Display:
- Volume 25, Issue 1 (2017)
- Year:
- 2017
- Volume:
- 25
- Issue:
- 1
- Issue Sort Value:
- 2017-0025-0001-0000
- Page Start:
- 80
- Page End:
- 99
- Publication Date:
- 2017-03-13
- Subjects:
- Usability -- Password policies -- Password requirements -- Password rule language -- Usable security -- User comprehension
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-06-2016-0043 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 2069.xml