To make users pick stronger passwords, service providers utilize password policies and password creation feedback while the user types inside password fields. Those two techniques often fail to achieve this primary goal. In this position paper, we argue that a personalized version of polices and strength meters are worth investigating. Putting individuals into the center of attention rather than the tasks may improve the user experience of password-based authentication. We discuss the challenges and opportunities, and we outline how policies and password feedback can be tailored to specific users.
Although the death of passwords has been announced many times 1 , there is no clear roadmap to eliminate knowledge based authentication mechanism on the web: Passwords will be part of users' lives in the foreseeable future due to the lack of perfect alternatives. Since passwords bring numerous usability pitfalls, research in the domain of usable security has identified many aspects in users' attitudes and behaviors towards passwords. For instance, we know that users often choose weak passwords and re-use them across multiple websites [5]. This boosts the usability, but lowers security because it becomes simple for attackers to take control over weakly protected online profiles.
To make users pick stronger passwords, websites often ask users to include digits, symbols, or other characteristics in their secrets. There is a wide range of such password composition policies and many of them fail to achieve their goal of stronger passwords [12]. Some users try to get away with the simplest password that fulfills the requirements [8]. Other users are very careful in following the rules and even go beyond the requirements [13]. Current password policies do not account for these different user personalities. A website's password policy is the same for all users. However, such one- 1 For instance, https://www.infosecurity-magazine.com/webinars/death-ofpasswords/, http://www.gigya.com/resource/whitepaper/death-of-thepassword/, https://www.cnet.com/news/gates-predicts-death-of-thepassword/ fits-all approaches may not be the best solution to achieve better usability and security for individuals. We argue that a policy that respects the user's attitude towards password creation can be of merit for both users and the overall security of a service.
Besides enforcing password characteristics, there is also a softer approach in the form of persuasive feedback and password creation guidance. Most commonly, we encounter this type of interface design with password meters that rate the strength of a user's password as they type it. The effectiveness of password meters is well debated. For high-value accounts, Egelman et al. [4] found that such feedback can slightly boost password strength. Additionally, they found that for lower value accounts, adding a password meter is without noteworthy effects, but they do not seem to harm the experience. Yet, here again, users face a one-fits-all solution, because the password meter is the same for all users.
We build our argument at the intersection between usable security and persuasive technology. Persuading users and supporting behavior change regarding passwords was proposed in 2001 by Weirich and Sasse [16]. Since then, much work has focused on trying to nudge users to alter their behavior, but only seldom do we encounter the concepts and proposals in day-to-day web browsing. The most prevalent examples are password meters and real time feedback, i.e. a list of requirements that is checked off during password entry. These mechanisms have been studied extensively ( [2,4,13,15]). The bottom line is that users welcome real-time feedback, but strength meters have a limited effect on password choice.
A study by Ur et al. showed that users actually might not need such external feedback to judge the strength of a password correctly [14]. They found that users rated the strength of passwords fairly accurately, but also that many study participants were misled by characteristics like digits and common substitutions. This kind of misjudgment and subpar strength feedback call for novel ideas.
To approach this opportunity, a recent large scale survey suggests that there are two common types of user personalities regarding passwords [9]: "Type A" users that have a strong urge to stay in control of their digital footprint and "Type B" users that convince themselves that their data is not valuable for attackers. The study finds that both types of users do not believe to be at risk. The data can be seen as further evidence that the risk of being attacked strongly depends on the user personality, as was already suggested earlier [7,16,19]. Consequently, it is time to follow the proposal from the persuasive authentication framework (PAF) to consider personalization as persuasion principle [6]. Forget et al. argue that a personalized system can help improve the users' mental model of security.
To the best of our knowledge, such personalized systems do not exist. We propose to respect the user's personality in the way password policies enforce and communicate requirements. Ultimately, this is an opportunity make such mitigations more effective in terms of supporting the user in picking an adequate secret.
There are a couple of major challenges of personalizing password policies and strength feedback. First, before we can adapt user interfaces to individuals, an in-depth assessment of their personality is required. There are a variety of widely approved personality tests, e.g. the NEO-PI-R [1], but they all expect active user involvement. Demanding this kind of action seems unrealistic. Thus, an implicit assessment is mandatory, which is already possible with an analysis of mobile phone usage data [18] or digital footprints [3]. These current solutions are privacy invasive, so we need to adjust them to achieve a more ethically reasonable level. Users may also want to fine-tune automatic assessments, so the system needs to provide such means. Also, personality assessments could be inaccurate, so users need to be able to reset the assessment. Second, when a user picks a password, a website does not have any information about him or her, other than the manually provided user name, password, and perhaps bits of personal information. If we aim to personalize this dialog between website and user, there needs to be a way to exchange a personality profile between the two parties in an unobtrusive, privacy-sensitive manner. To make sure the users stay in control of their information the protocol needs to ask permission or at least read general settings about with whom to share personality profiles. Intensive work is going to be needed to carefully design systems that respect user preferences and eventually achieve broad acceptance.
The challenges and opportunities deliver an actionable research agenda, which we briefly illustrate with potential use cases and scenarios. Most of them require a modification of web browsers, or capabilities that can already be added with browser extensions.
Currently, password policies enforce the same rules on all users, i.e. length and complexity requirements. Still, there are different policies that deliver similarly strong passwords [12]. As outlined above, we envision a new paradigm that modifies these rules depending on the user's personality characteristics. Such a personality profile can consist of a score on each of the five dimensions of the Big-Five model [1] to be minimally privacy invasive. When the website recognizes a new user who scores high on openness, it can switch to a policy that focuses on password length rather than complexity classes, because these individuals are often very creative and constraints might be counterproductive [10]. On the contrary, policies can make highly conscientious people add various character-classes. It is likely that these users will benefit from an explicit list of requirements when they have to come up with a strong password, which can be diligently checked off requirement by requirement. Ideally, such a dynamic personalized policy would reduce the burden on users while achieving the same level of security.
So far, nudging during password selection is mostly done with password meters or concrete suggestions. The Safari browser automatically pops-up password suggestions when users register on new web sites. In our past work, we have studied the influence of different password suggestions on self-selected passwords [11]. The suggestions were rejected by most participants, but the strength of self-selected passwords significantly increased upon seeing a password suggestion. We believe that we can design such mechanisms around personality traits to make password suggestions more effective. Suggestions should therefore respect user preferences to become more powerful.
For instance, Safari could try different variations of password topologies to find out which passwords are most attractive to the user and on which web sites. Additional information on the user's personality might help but is not mandatory in this scenario. Again, such a personalized system can boost usability while adding to the overall security. However, we have to ensure that attackers do not benefit from personality models, which is a critical challenge.
Finally, to better cope with authentication overhead, users re-use their passwords many times [5]. We could use this kind of behavior to create prediction models for future registrations. The models might predict which password is going to be used on the web page for which the user creates an account. In this opportune moment, a personalized system can detect anomalies and intervene if another password from the portfolio might be a better fit for the website at hand. For instance, if a user tries to sign-up to PayPal using the same password as with their email account, the system can discourage this without blocking the action. Such an approach is designed around the individual user and their preferred re-use strategy. Infrequent suggestions like this could make better options more salient.
At the moment, the challenges to tailor security mitigations to specific users seem big. We do not know how users will react to such personalized systems in security contexts. However, since users will have to deal with passwords for the foreseeable future, we believe the challenges are worth taking and they can be approached in small steps. It will take careful design and long-term evaluation to have browser vendors consider implementing personalized security mitigations. The first small step is to mock-up the interaction and evaluate concepts in Wizard-of-Oz studies to obtain a better understanding of user reactions and attitudes towards personalized policies and feedback.