In today’s digital landscape, passwords are a dime a dozen. There is a barrage of information on how best they should be used to maintain security. Whether it be total character length, a certain amount of numbers or special characters, or making sure you don’t reuse the last 3-5 passwords for a particular site, after admins require you to change it to keep within the password policy requirements. A study by Rick Wash and Emilee Rader explores how users attempt to balance the usability of their password as well as the security the password provides. I will be conducting an article review on the topic showcasing some of the surprising results the authors found.

Relation to principles of the Social Sciences

A few different principles of social science can be quickly identified when reading through the article. The first being objectivity. The study was able to analyze passwords from a real user base rather than a hypothetical one. All the participants’ passwords over the 6-week period came from non-biased sources, allowing for empirically analyzing. Another principle seen within the article is parsimony. The study attempted to not introduce unnecessary complexity by focusing on four strategies that had already been identified in previous research and limiting the need for excessive variables. Lastly, ethical neutrality is seen throughout the study as the data being presented is not advocating for one strategy over another, rather, they investigate what decisions the users make naturally when selecting passwords and reporting on that information.

Research Questions & Hypotheses

The overarching research question being asked by Wash & Rader is “How do people decide what password to use for each account?” (Wash & Rader, 2021) There are four hypotheses presented in the study attempting to address the question. The simplest of the strategies is Reuse focused. The user always chooses the same password regardless of the website they are visiting. The Creation focused strategy uses the website’s passwords policy to create a password that meets all the requirements of the site. Though this theory is stated to be high level and is further broken down into two sub-strategies. Usage-focused relies on the day-to-day use of the password. “The more frequently the password needs to be entered and used, the simpler the password should be.” (Wash & Rader, 2021) Though the less often you have to access a site, the more complex the password becomes.  Security-focused is the last hypothesis, Wash & Rader state that the more users consider a site to be important to the user, the more complex and longer the password will be. Conversely, if the site is considered to be less important, “throwaway” passwords are used.

Research Methods

The methods of research used throughout the study were collecting password data from 134 real participants over a six-week study period. As well as using a browser plugin that recorded the password entries, all of which were hashed so privacy was maintained for the participants.

Data & Analysis

“An ecologically valid dataset of 853 passwords entered a total of 2533 times by 134 users into 1010 websites”(Wash & Rader, 2021) was used as qualitative data to analyze the impact of all constraints within the study. The hypotheses were tested using falsification rather than confirmation to reduce the chance of confirmation bias that may have been present in other studies. 

Relation to CYSE201S

This study can be related to CYSE201S through cyber victimization. If users are faced with optimism bias or hyperbolic discounting, they could think nothing bad can happen to them or their accounts or make short-sighted decisions like using a repeated password on important sites.

Challenges/Concerns

Challenges can be foreseen for users that may have low digital literacy, they may not realize the risk they could be putting themselves in by not understanding why certain password policies are put into place, or that writing a password down and displaying it on a monitor or under a keyboard isn’t creating the level of security they think it is. Another group of people that could find challenges would be individuals with memory and fine motor deficits. Complex passwords may not be able to be remembered or be able to correctly and consistently be inputted.

Societal Contributions

This study can provide contributions to society by improving how we understand the behaviors of users. If we understand what the users want to naturally do, policies can be written to better align with how passwords are naturally chosen yet still be able to make sure security isn’t an afterthought.

In conclusion, the study challenges the common thought that passwords are selected only for ease of use. Other factors are involved, which have users adapting their behaviors in creating passwords based on perceived risk, what the website requires of them, and overall usability. Findings highlight the need for policies that can align with users rather than making blanket policy statements. Which could lead to user-friendly authentication methods and improving security without sacrificing usability.