To read this content please select one of the options below:

Must I, can I? I don’t understand your ambiguous password rules

Kristen K. Greene (National Institute of Standards and Technology, Gaithersburg, Maryland, USA)
Yee-Yin Choong (National Institute of Standards and Technology, Gaithersburg, Maryland, USA)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 13 March 2017

677

Abstract

Purpose

The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.

Design/methodology/approach

This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users’ interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.

Findings

Results show that manipulating password rule terminology causes users’ interpretation of the allowed character space to shrink or expand. Users are confused by the terms “non-alphanumeric”, “symbols”, “special characters” and “punctuation marks” in password rules. Additionally, users are confused by partial lists of allowed characters using “e.g.” or “etc.”

Practical implications

This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.

Originality/value

This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.

Keywords

Acknowledgements

The authors gratefully acknowledge Dr I-Jeng Wang for his help with the expected capacity estimation and Dr Dan Wallach for his insightful comments.

Disclaimer. Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products mentioned are necessarily the best available for the purpose.

Citation

Greene, K.K. and Choong, Y.-Y. (2017), "Must I, can I? I don’t understand your ambiguous password rules", Information and Computer Security, Vol. 25 No. 1, pp. 80-99. https://doi.org/10.1108/ICS-06-2016-0043

Publisher

:

Emerald Publishing Limited

Copyright © 2017, The authors are employees of the US Government and transfer the rights to the extent transferable

Related articles