Must I, can I? I don't understand your ambiguous password rules

摘要

Purpose - The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules. Design/methodology/approach - This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users' interpretations ofpassword rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space. Findings - Results show that manipulating password rule terminology causes users' interpretation of the allowed character space to shrink or expand. Users are confused by the terms "non-alphanumeric", "symbols", "special characters" and "punctuation marks" in password rules. Additionally, users are confused by partial lists of allowed characters using "e.g." or "etc." Practical implications - This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements. Originality/value - This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.