Security-Conscious Password Behavior From the End-User’s Perspective

Even though technical solutions for security problems are widespread, there are no adequate security measures against precarious user behavior.  Even if hashing and encrypting are used correctly in masking the passwords, attackers can bypass these strong points by going for the weakest link.  Most likely, this will happen through sharing a password, using an already leaked password, or creating a feasibly guessable password (Olmstead & Smith, 2017).  Furthermore, people seem to feel safe in cyberspace, even if they engage in risky behaviors (Vozmediano et al., 2013).

User authentication by text-based passwords is still common for various applications.  Contrary to the relevance of secure user behavior while choosing and handling the password, academic researchers tended to neglect this topic for the last few years, so the problem of human decision-making in text-based password creation remains mostly uninspected.

After highlighting the human factor as a potential error in cybersecurity, along with many empirical studies regarding this topic, various strategies were offered to counter this threat (Shay et al., 2012; Fahl et al., 2013; Ur et al., 2012; Garfinkel & Miller, 2005; Sheng et al., 2015).  While most of these strategies, advice, and technical solutions concerning weak passwords remain unknown to the wider public, some solutions were adapted in common practice, e.g., password management tools.  The mentioned password managers generate plenty of strong and unique passwords for each website a user may require a password for, and all of them can be easily accessed with just one master password.  In contrast to most user-generated passwords, passwords created by password managers are pseudo-random and hard to predict.  Users who try to generate a strong password often fail this task because they use strategies a computer might easily bypass, such as adding special characters and numbers at the end of their password, as well as using a capital letter at the beginning (Ur et al., 2012).  The mentioned password managers or even a program generating pseudo-random strings can lead to safer passwords regarding the possibility to be cracked.  For end-users, aspects of usability and intelligibility seem to determine the acceptance of software supporting password purposes, yet the usage of password management tools is the exception rather than the norm (Olmstead & Smith, 2017).

Most people have not altered their password-related behavior; it is widely known that people are prone to create passwords that are easily guessed and engage in unsecure practices, such as reusing passwords across different accounts (Wang et al., 2018; Hunt, 2019; Stobert & Biddle, 2014). Furthermore, false lore and myths about secure password creation seem to endure, conveying an illusion of security from a user’s perspective (Ur et al., 2015; Ur et al., 2016).  This article will identify common ideas about secure passwords by surveying 98 participants regarding their password strategies and habits, as well as asking them to estimate the security of their strategies and encouraging them to rate the security of the other strategies collected in this study.