Is Your Password Secure Enough?

Feb. 7, 2023

Faculty Research

How do you remember your passwords? Especially your so-called “strong” passwords? Maybe you write it down on a trusty sticky note or type it in the Notes app on your phone. Regardless of how you keep track of them, passwords are inherently hard to recall and create.

When we’re tasked with creating a new password, we’re often met with a password strength meter. But are the red, yellow and green warnings in a password meter the best way to tell people how secure their password is?

New research from Associate Professor of Management Information Systems in the Eller College of Management Matt Hashim takes a closer look. The paper is forthcoming in Information Systems Research.

“What we accomplish in our research is the introduction of supplemental and easy to understand information that can be helpful for users during the password creation process,” summarizes Hashim.

Hashim and his co-authors tested a password strength meter guided by the elaboration likelihood model of persuasion (ELM). Said meter displayed one of three messages to users: “how long it would take the password to be cracked; peer comparisons (or a ranking); or a similarity message given as a probability of having the same password as others,” he says.

They evaluated the meter via a three-pronged approach: a survey-based experiment, a controlled laboratory experiment and a randomized field experiment on a real website.

The results show that the ELM strength meter makes users more likely to change their password to a stronger option. Giving users context and a comparison point for their password was crucial.

“If you think about existing password and strength meters, what does a ‘yellow’ warning actually mean? What does adding a special character mean? In contrast, concrete, user-comprehensible messages can be acted upon, and in a way that yields better password strength,” says Hashim.

Plus, the co-authors noticed an average of an 18 percent increase in password strength, “resulting in more than five additional weeks needed by an attacker to crack a password,” he noted.

Although crafting a hack-proof password is challenging, Hashim and his co-authors seek to remind individuals to practice security-minded behaviors, use multi-factor authentication and refrain from reusing passwords.

“Our goal is that the average layperson may improve their secure behaviors when given the opportunity to respond to a warning that is comprehensible,” Hashim concludes.