Abstract
Despite technological advances, humans remain the weakest link in Internet security. In this study, we examined five password-management behaviours to answer questions about user knowledge of password quality, motivation behind password selection and the effect of account type on password-management behaviour. First, we found that users know what constitutes a good/bad password and know which common password-management practices are (in)appropriate. Second, users are motivated to engage in these bad password-management behaviours because they do not see any immediate negative consequences to themselves (negative externalities) and because of the convenience–security tradeoff. Applying Construal Level Theory, we found that this tradeoff can be positively influenced by imposing a time frame factor, i.e. whether the password change will take place immediately (which results in weaker passwords) or in the future (which results in stronger passwords). Third, we found a time frame effect only for more important (online banking) accounts.
Notes
1. Before presenting the results of Study 2, we would like to address a possible alternative explanation for our findings: risk taking. It is possible that risk takers were consistently less concerned about security (and more about convenience) while those who were risk avoidant were more concerned about security (and less about convenience). To address this issue, we measured both general and password management risk propensity. Risk taking as a general personality trait and risk taking as it relates to password management were both measured on a seven-point scale (one being strongly disagree and seven being strongly agree). The reliabilities of the two scales were α = 0.81 and α = 0.74 for general personality trait and password management, respectively. Next, the scores of the two scales were averaged. There were no differences in risk-taking propensities (as a general personality and to password management) between users who were more concerned about convenience and those who were more concerned about security with respect to the positive and negative thoughts that were elicited when asked about choosing a first-time password or changing a password (ts (130) < 1.2, ps > 0.22).
2. An alternative explanation for our findings is that the security–convenience tradeoff variable was strongly correlated with the intention to pick a secure password. A high correlation between these two variables would result in the security–convenience tradeoff variable having a greater impact in determining actual password quality than the intention to pick a secure password. To rule out this possible explanation, we examined the bivariate correlations among password quality, the security–convenience tradeoff and the intention to pick a secure password. There was a significant relationship between the security–convenience tradeoff and password quality (correlation γ = 0.24, p < 0.01) but not between the intention to pick a secure password and password quality (correlation γ = 0.12, p > 0.13). This means the relationship between the intention to pick a secure password and password quality is much weaker than between the security–convenience tradeoff variable and password quality.