Must I, can I? I don’t understand your ambiguous password rules
Abstract
Purpose
The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.
Design/methodology/approach
This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.
Findings
Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.”
Practical implications
This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.
Originality/value
This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.
Keywords
Acknowledgements
The authors gratefully acknowledge Dr I-Jeng Wang for his help with the expected capacity estimation and Dr Dan Wallach for his insightful comments.
Disclaimer. Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products mentioned are necessarily the best available for the purpose.
Citation
Greene, K.K. and Choong, Y.-Y. (2017), "Must I, can I? I don’t understand your ambiguous password rules", Information and Computer Security, Vol. 25 No. 1, pp. 80-99. https://doi.org/10.1108/ICS-06-2016-0043
Publisher
:Emerald Publishing Limited
Copyright © 2017, The authors are employees of the US Government and transfer the rights to the extent transferable