Lessons learned from evaluating eight password nudges in the wild

Background. The tension between security and convenience, when creating passwords, is well established. It is a tension that often leads users to create poor passwords. For security designers, three mitigation strategies exist: issuing passwords, mandating minimum strength levels or encouraging better passwords. The first strategy prompts recording, the second reuse, but the third merits further investigation. It seemed promising to explore whether users could be subtly nudged towards stronger passwords.Aim. The aim of the study was to investigate the influence of visual nudges on self-chosen password length and/or strength.Method. A university application, enabling students to check course dates and review grades, was used to support two consecutive empirical studies over the course of two academic years. In total, 497 and 776 participants, respectively, were randomly assigned either to a control or an experimental group. Whereas the control group received no intervention, the experimental groups were presented with different visual nudges on the registration page of the web application whenever passwords were created. The experimental groups’ password strengths and lengths were then compared that of the control group.Results. No impact of the visual nudges could be detected, neither in terms of password strength nor length. The ordinal score metric used to calculate password strength led to a decrease in variance and test power, so that the inability to detect an effect size does not definitively indicate that such an effect does not exist.Conclusion. We cannot conclude that the nudges had no effect on password strength. It might well be that an actual effect was not detected due to the experimental design choices. Another possible explanation for our result is that password choice is influenced by the user’s task, cognitive budget, goals and pre-existing routines. A simple visual nudge might not have the power to overcome these forces. Our lessons learned therefore recommend the use of a richer password strength quantification measure, and the acknowledgement of the user’s context, in future studies

Nudging folks towards stronger password choices:providing certainty is the key

Persuading people to choose strong passwords is challenging. One way to influence password strength, as and when people are making the choice, is to tweak the choice architecture to encourage stronger choice. A variety of choice architecture manipulations i.e. “nudges”, have been trialled by researchers with a view to strengthening the overall password profile. None has made much of a difference so far. Here we report on our design of an influential behavioural intervention tailored to the password choice context: a hybrid nudge that significantly prompted stronger passwords.We carried out three longitudinal studies to analyse the efficacy of a range of “nudges” by manipulating the password choice architecture of an actual university web application. The first and second studies tested the efficacy of several simple visual framing “nudges”. Password strength did not budge. The third study tested expiration dates directly linked to password strength. This manipulation delivered a positive result: significantly longer and stronger passwords. Our main conclusion was that the final successful nudge provided participants with absolute certainty as to the benefit of a stronger password, and that it was this certainty that made the difference

Guidelines for ethical nudging in password authentication

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context

Ethical guidelines for nudging in information security & privacy

There has recently been an upsurge of interest in the deployment of behavioural economics techniques in the information security and privacy domain. In this paper, we consider first the nature of one particular intervention, the nudge, and the way it exercises its influence. We contemplate the ethical ramifications of nudging, in its broadest sense, deriving general principles for ethical nudging from the literature. We extrapolate these principles to the deployment of nudging in information security and privacy. We explain how researchers can use these guidelines to ensure that they satisfy the ethical requirements during nudge trials in information security and privacy. Our guidelines also provide guidance to ethics review boards that are required to evaluate nudge-related research

Encouraging password manager adoption by meeting adopter self-determination needs

Password managers are a potential solution to the password conundrum, but adoption is paltry. We investigated the impact of a recommender application that harnessed the tenets of self-determination theory to encourage adoption of password managers. This theory argues that meeting a person's autonomy, relatedness and competence needs will make them more likely to act. To test the power of meeting these needs, we conducted a factorial experiment, in the wild. We satisfied each of the three self determination factors, and all individual combinations thereof, and observed short-term adoption of password managers. The Android recommender application was used by 470 participants, who were randomly assigned to one of the experimental or control conditions. Our analysis revealed that when all self-determination factors were satisfied, adoption was highest, while meeting only the autonomy or relatedness needs individually significantly improved the likelihood of adoption

The Use of Web-Based Support Groups Versus Usual Quit-Smoking Care for Men and Women Aged 21-59 Years: Protocol for a Randomized Controlled Trial (Preprint)

BACKGROUND Existing smoking cessation treatments are challenged by low engagement and high relapse rates, suggesting the need for more innovative, accessible, and interactive treatment strategies. Twitter is a Web-based platform that allows people to communicate with each other throughout the day using their phone. OBJECTIVE This study aims to leverage the social media platform of Twitter for fostering peer-to-peer support to decrease relapse with quitting smoking. Furthermore, the study will compare the effects of coed versus women-only groups on women’s success with quitting smoking. METHODS The study design is a Web-based, three-arm randomized controlled trial with two treatment arms (a coed or women-only Twitter support group) and a control arm. Participants are recruited online and are randomized to one of the conditions. All participants will receive 8 weeks of combination nicotine replacement therapy (patches plus their choice of gum or lozenges), serial emails with links to Smokefree.gov quit guides, and instructions to record their quit date online (and to quit smoking on that date) on a date falling within a week of initiation of the study. Participants randomized to a treatment arm are placed in a fully automated Twitter support group (coed or women-only), paired with a buddy (matched on age, gender, location, and education), and encouraged to communicate with the group and buddy via daily tweeted discussion topics and daily automated feedback texts (a positive tweet if they tweet and an encouraging tweet if they miss tweeting). Recruited online from across the continental United States, the sample consists of 215 male and 745 female current cigarette smokers wanting to quit, aged between 21 and 59 years. Self-assessed follow-up surveys are completed online at 1, 3, and 6 months after the date they selected to quit smoking, with salivary cotinine validation at 3 and 6 months. The primary outcome is sustained biochemically confirmed abstinence at the 6-month follow-up. RESULTS From November 2016 to September 2018, 960 participants in 36 groups were recruited for the randomized controlled trial, in addition to 20 participants in an initial pilot group. Data analysis will commence soon for the randomized controlled trial based on data from 896 of the 960 participants (93.3%), with 56 participants lost to follow-up and 8 dropouts. CONCLUSIONS This study combines the mobile platform of Twitter with a support group for quitting smoking. Findings will inform the efficacy of virtual peer-to-peer support groups for quitting smoking and potentially elucidate gender differences in quit rates found in prior research. CLINICALTRIAL ClinicalTrials.gov NCT02823028; https://clinicaltrials.gov/ct2/show/NCT0282302

Usability and Trust in Information Systems

The need for people to protect themselves and their assets is as old as humankind. People's physical safety and their possessions have always been at risk from deliberate attack or accidental damage. The advance of information technology means that many individuals, as well as corporations, have an additional range of physical (equipment) and electronic (data) assets that are at risk. Furthermore, the increased number and types of interactions in cyberspace has enabled new forms of attack on people and their possessions. Consider grooming of minors in chat-rooms, or Nigerian email cons: minors were targeted by paedophiles before the creation of chat-rooms, and Nigerian criminals sent the same letters by physical mail or fax before there was email. But the technology has decreased the cost of many types of attacks, or the degree of risk for the attackers. At the same time, cyberspace is still new to many people, which means they do not understand risks, or recognise the signs of an attack, as readily as they might in the physical world. The IT industry has developed a plethora of security mechanisms, which could be used to mitigate risks or make attacks significantly more difficult. Currently, many people are either not aware of these mechanisms, or are unable or unwilling or to use them. Security experts have taken to portraying people as "the weakest link" in their efforts to deploy effective security [e.g. Schneier, 2000]. However, recent research has revealed at least some of the problem may be that security mechanisms are hard to use, or be ineffective. The review summarises current research on the usability of security mechanisms, and discusses options for increasing their usability and effectiveness

Exercises using a touchscreen tablet application improved functional ability more than an exercise program prescribed on paper in people after surgical carpal tunnel release: a randomised trial

Question: In people who have undergone surgical carpal tunnel release, do sensorimotor-based exercises performed on the touchscreen of a tablet device improve outcomes more than a conventional home exercise program prescribed on paper? Design: Randomised, parallel-group trial with concealed allocation, assessor blinding, and intention-to-treat analysis. Participants: Fifty participants within 10 days of surgical carpal tunnel release. Intervention: Each participant was prescribed a 4-week home exercise program. Participants in the experimental group received the ReHand tablet application, which administered and monitored exercises via the touchscreen. The control group was prescribed a home exercise program on paper, as is usual practice in the public hospital system. Outcome measures: The primary outcome was functional ability of the hand, reported using the shortened form of the Disabilities of the Arm, Shoulder and Hand (QuickDASH) questionnaire. Secondary outcomes were grip strength, pain intensity measured on a 10-cm visual analogue scale, and dexterity measured with the Nine-Hole Peg Test. Outcomes were measured by a blinded assessor at baseline and at the end of the 4-week intervention period. Results: At Week 4, functional ability improved significantly more in the experimental group than the control group (MD –21, 95% CI –33 to –9) on the QuickDASH score (0 to 100). Although the mean estimates of effect on the secondary outcome also all favoured the experimental group, none reached statistical significance: grip strength (MD 5.6 kg, 95% CI –0.5 to 11.7), pain (MD –1.4 cm, 95% CI –2.9 to 0.1), and dexterity (MD –1.3 seconds, 95% CI –3.7 to 1.1). Conclusion: Use of the ReHand tablet application for early rehabilitation after carpal tunnel release is more effective in the recovery of functional ability than a conventional home exercise program. It remains unclear whether there are any benefits in grip strength, pain or dexterity. Trial registration: ACTRN12618001887268

Addressing Misconceptions About Password Security Effectively

Nowadays, most users need more passwords than they can handle. Consequently, users have developed a multitude of strategies to cope with this situation. Some of these coping strategies are based on misconceptions about password security. In such cases, the users are unaware of their insecure password practices. Addressing the misconceptions is vital in order to decrease insecure coping strategies. We conducted a systematic literature review with the goal to provide an overview of the misconceptions about password security. Our literature review revealed that misconceptions exist in basically all aspects of password security. Furthermore, we developed interventions to address these misconceptions. Then, we evaluated the interventions\u27 effectiveness in decreasing the misconceptions at three small and medium sized enterprises (SME). Our results show that the interventions decrease the overall prevalence of misconceptions significantly in the participating employees