Enriched nudges lead to stronger password replacements … but implement mindfully

摘要

People usually respond to enforced changes caused by password expiry by making each successive password weaker. This is because the effort involved in memorising a password cannot be amortised over a period of time. To ensure retention they use a password they know they will not forget. This paper explores the password-changing behaviour of the participants exposed to an enriched nudge intervention. The enriched nudge combined a traditional nudge (manipulation of the “choice architecture” (user interface)) with a carrot (utility offered by a variable password expiry period, depending on the strength of the password) and a prod (frequent reminders). A longitudinal study discovered that, contrary to expectations and usual practice, participants chose stronger passwords when they replaced them. This finding suggests that changing passwords is more cognitively demanding and effortful than the memorising of a single strong password. Moreover, allowing people to engage in the latter to avoid the former has the effect of improving password strength overall. The paper concludes with an admonition for implementers to be aware of the burden imposed on users by password aging, and urging them to apply it only when the risk justifies imposing this burden.