Nudging has proven itself in various areas such as health, education, finance, security and privacy. Nudging argues that to facilitate decision-making, it is better to make the process easy, more attractive, and socially desirable rather than relying on the establishment of strict policies, prohibitions or even sanctions. Nudging can take several forms, such as labelling of food products to healthier choices, comparing electricity consumption between dwellings in the same residential area to encourage consumers to be more vigilant about their consumption, or even using the automatic subscription to savings services in banks.
In information security, nudging has been used extensively to promote better decision-making about users’ online security, including the choice of passwords. However, these nudges often have a “one size fits all” approach, although several studies have shown that they have varying effects depending on the user’s profile. It is therefore important to consider the heterogeneity of users when customizing using nudges.
The authors of this article looked at five soft incentives:
- Password Meter, which visually displays the strength of a password.
- Crack-Time which provides feedback on time required to crack a password.
- Social which allows comparison of password strength according to social norms.
- Correct Horse Battery Staple (CHBS) which suggests that users concatenate words to create passwords.
- Insertion that suggests users insert numbers and special characters into their password randomly.
To measure individual differences in decision-making, the researchers used four measurement scales: General Decision-Making Style, Need for Cognition, Consideration of Consequences futures and numeracy.
The 2,074 participants were asked to complete a questionnaire on general decision-making style and the need for cognition. They were then split into three groups: a first group received personalized nudges, another received none, and a third received randomly. Next, participants were asked to change the password for an email address that will be used later. A week later, in a follow-up study, participants were asked to enter the password chosen previously.
The results showed that, on average, passwords were stronger for participants who received the personalized soft inducements. Additionally, the authors calculated that these passwords, created using nudges, take longer to crack than other passwords.
This study shows that personalizing soft incentives can increase the strength of a password. However, the authors mention that many efforts are required to put in place this type of measure.