Feb. 25, 2019
Weak passwords like these are the poor quality locks that hackers love to break. The obvious solution is for people to choose stronger passwords, but encouraging users to change their password behaviors has proven much harder than anticipated.
Why, exactly, has this been so challenging? One popular theory to explain the stasis is that people don’t know how to create strong passwords, nor do they know how hackers go about guessing them. The theory has prompted widespread educational campaigns, so that now, even school children can tell you what a strong password should look like.
Still, weak passwords persist …
The next theory to explain why people don’t choose strong passwords is that they’re lazy and apathetic. To date, the organizational response to apathy and laziness has been to deploy stringent control mechanisms. IT departments write and disseminate password management policies, and people are expected to comply. Kaspersky recently reported that 40 percent of employees fear being punished for cybersecurity incidents, which suggests that organizations are threatening sanctions to make their policies harder to ignore.
What is going on here? Let’s go back to the beginning. Most training and awareness campaigns deliver their training based on two implicit assumptions: (1) that behavior can be changed by giving people the facts, and (2) that a switch to stronger passwords is a simple matter of replacing the existing routine with a different and better one.
Both of these assumptions are flawed. In the first place, behavioral science research suggests that behaviors are informed by context, emotion and social norms, and pre-existing beliefs are not reliably changed by facts. Because this is so, assumption two also fails to stand: it is not simply a matter of swapping one routine for another.
While spending time at Mississippi State University as a Fulbright scholar, I worked with Robert Otondo and Merrill Warkentin to find out whether another behavioral bias could be in effect to influence how closely people cling to their password creation routines – what’s known as the endowment effect. When people own physical items such as coffee mugs or particular items of clothing, they can develop an emotional attachment for the endowed item, which leads them to value it disproportionately. This effect can also make people reluctant to relinquish it. Any attempt to suggest that the endowed item is flawed is seen as a threat, which makes people defensive. This can then encourage them to cling even more tightly to the owned item.
Most worrying, in the password context, is that they overestimated the strength and protection that these passwords afforded them, because their emotional attachment made them over-optimistic.
Our research revealed that people not only had personal password creation routines, but were reluctant to entertain any suggestion that they should change them. They felt attached to them the way that they might feel attached to an old beloved coffee mug. That being so, they reacted defensively to suggestions that they were flawed, and ought to be replaced.
Many used something they already knew, such as a pet name or their own birthday. Others had developed an algorithm. They might have a root password and then personalize it for each different site, use a pattern on the keyboard or make up a silly sentence. Most worrying, in the password context, is that they overestimated the strength and protection that these passwords afforded them, because their emotional attachment made them over-optimistic.
This finding should make us re-examine the way we carry out security awareness and training campaigns. If we want people to replace their existing password creation routines, telling them that their existing routine is flawed may be the wrong strategy. Instead, practitioners and educators should consider how to design campaigns so that they don't trigger the defensiveness of the endowment effect. Figuring out how to do this is the next stage of our research.