sesa 19(21): e1

Research Article

Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?

Download36 downloads
  • @ARTICLE{10.4108/eai.13-7-2018.162797,
        author={Saeed Ibrahim Alqahtani and Shujun Li and Haiyue Yuan and Patrice Rusconi},
        title={Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={6},
        number={21},
        publisher={EAI},
        journal_a={SESA},
        year={2019},
        month={8},
        keywords={Password strength, password meter, user perception, trust, human-generated, machine-generated, ratings},
        doi={10.4108/eai.13-7-2018.162797}
    }
    
  • Saeed Ibrahim Alqahtani
    Shujun Li
    Haiyue Yuan
    Patrice Rusconi
    Year: 2019
    Human-Generated and Machine-Generated Ratings of Password Strength: What Do Users Trust More?
    SESA
    EAI
    DOI: 10.4108/eai.13-7-2018.162797
Saeed Ibrahim Alqahtani1,*, Shujun Li2, Haiyue Yuan3, Patrice Rusconi3
  • 1: Taibah University, Madinah, Saudi Arabia
  • 2: University of Kent, Canterbury, UK
  • 3: University of Surrey, Guildford, UK
*Contact email: siqahtani@taibahu.edu.sa

Abstract

Proactive password checkers have been widely used to persuade users to select stronger passwords by providing machine-generated strength ratings of passwords. If such ratings do not match human-generated ratings of human users, there can be a loss of trust in PPCs. In order to study the effectiveness of PPCs, it would be useful to investigate how human users perceive such machine- and human-generated ratings in terms of their trust, which has been rarely studied in the literature. To fill this gap, we report a large-scale crowdsourcing study with over 1,000 workers. The participants were asked to choose which of the two ratings they trusted more. The passwords were selected based on a survey of over 100 human password experts. The results revealed that participants exhibited four distinct behavioral patterns when the passwords were hidden, and many changed their behaviors significantly after the passwords were disclosed, suggesting their reported trust was influenced by their own judgments.