Do Users Correctly Identify Password Strength?

Abstract

Much of the security for information systems rests upon passwords. Yet, the scale of password use is producing elevated levels of cognitive burden. Existing research has investigated the effects of this cognitive burden with a focus on weak versus strong passwords. However, the literature presupposes that users can meaningfully identify such. Further, there may be ethical implications of forcing users to identify password strength when they are unable to do so. Accordingly, the purpose of this study was to measure what socioeconomic characteristics, if any, led participants to identify weak and strong password strengths in a statistically significant manner. We gathered 436 participants using Amazon’s Mechanical Turk platform and asked them to identify 50 passwords as either weak or strong. Then, we employed a Chi-square test of independence to measure the potential relationship between three socioeconomic characteristics (education, profession, technical skill) and the frequency of correct weak and strong password identification. The results show significant relationships across all variable combinations except for technical skill and strong passwords which revealed no relationship.