Guidelines for Ethical Nudging in Password Authentication

Nudging has been adopted by many disciplines in the last decade in order to achieve behavioural change. Information security is no exception. A number of attempts have been made to nudge end-users towards stronger passwords. Here we report on our deployment of an enriched nudge displayed to participants on the system enrolment page, when a password has to be chosen. The enriched nudge was successful in that participants chose significantly longer and stronger passwords. One thing that struck us as we designed and tested this nudge was that we were unable to find any nudge-specific ethical guidelines to inform our experimentation in this context. This led us to reflect on the ethical implications of nudge testing, specifically in the password authentication context. We mined the nudge literature and derived a number of core principles of ethical nudging. We tailored these to the password authentication context, and then show how they can be applied by assessing the ethics of our own nudge. We conclude with a set of preliminary guidelines derived from our study to inform other researchers planning to deploy nudge-related techniques in this context.

[1]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[2]  Bart Engelen,et al.  Judging Nudging: Answering the Manipulation Objection , 2017 .

[3]  Brian C. Stanton,et al.  I Can't Type That! P@$$w0rd Entry on Mobile Devices , 2014, HCI.

[4]  G. Kalyanaram,et al.  Nudge: Improving Decisions about Health, Wealth, and Happiness , 2011 .

[5]  M. White The Manipulation of Choice: Ethics and Libertarian Paternalism , 2013 .

[6]  Tobias Seitz,et al.  Influencing Self-Selected Passwords Through Suggestions and the Decoy Effect , 2016 .

[7]  Will Harwood Locking up passwords - for good , 2016, Netw. Secur..

[8]  Paul C. van Oorschot,et al.  Passwords: If We're So Smart, Why Are We Still Using Them? , 2009, Financial Cryptography.

[9]  Jakob Nielsen,et al.  Designing Web Usability: The Practice of Simplicity , 1999 .

[10]  Eugene H. Spafford Preventing Weak Password Choices , 1991 .

[11]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[12]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[13]  Christopher L. Huntley A developmental view of system security , 2006, Computer.

[14]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[15]  D. Kahneman Thinking, Fast and Slow , 2011 .

[16]  William Cheswick Rethinking Passwords , 2012 .

[17]  Todd Haugh The Ethics of Intracorporate Behavioral Ethics , 2017 .

[18]  Austin Lee Nichols,et al.  The Good-Subject Effect: Investigating Participant Demand Characteristics , 2008, The Journal of general psychology.

[19]  E. Phelps,et al.  Neural mechanisms mediating optimism bias , 2007, Nature.

[20]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[21]  George Buchanan,et al.  Improving mobile internet usability , 2001, WWW '01.

[22]  Paul C. van Oorschot,et al.  Quantifying the security advantage of password expiration policies , 2015, Des. Codes Cryptogr..

[23]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[24]  Sarah Conly Against autonomy: justifying coercive paternalism , 2012, Journal of Medical Ethics.

[25]  G. Rayner,et al.  Is nudge an effective public health strategy to tackle obesity? No , 2011, BMJ : British Medical Journal.

[26]  Ezer Osei Yeboah-Boateng,et al.  Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices , 2014 .

[27]  Panayiotis Kotzanikolaou,et al.  Preventing impersonation attacks in MANET with multi-factor authentication , 2005, Third International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOpt'05).

[28]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[29]  Karen Renaud,et al.  Multi-channel, Multi-level Authentication for More Secure eBanking , 2010, ISSA.

[30]  Ray A. Perlner,et al.  Digital Identity Guidelines: Authentication and Lifecycle Management , 2017 .

[31]  Thom Brooks,et al.  Should We Nudge Informed Consent? , 2013, The American journal of bioethics : AJOB.

[32]  Kevin Borders,et al.  Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[33]  B. Wansink Environmental factors that increase the food intake and consumption volume of unknowing consumers. , 2004, Annual review of nutrition.

[34]  Mohammad Mannan,et al.  A Large-Scale Evaluation of High-Impact Password Strength Meters , 2015, TSEC.

[35]  M. Angela Sasse "Technology Should Be Smarter Than This!": A Vision for Overcoming the Great Authentication Fatigue , 2013, Secure Data Management.

[36]  S.J. Elliott,et al.  An evaluation of fingerprint image quality across an elderly population vis-a-vis an 18-25 year old population , 2005, Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology.

[37]  Karen Renaud,et al.  Smartphone Owners Need Security Advice. How Can We Ensure They Get it? , 2016, CONF-IRM.

[38]  Simona Sacchi,et al.  Personality and Social Psychology Bulletin Castano Et Al. / Mortality Salience and Ingroup Entitativity I Belong Therefore I Exist: Ingroup Identification, Ingroup Entitativity, and Ingroup Bias , 2022 .

[39]  Cass R. Sunstein,et al.  The Ethics of Nudging , 2014 .

[40]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[41]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[42]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[43]  P. G. Hansen The Definition of Nudge and Libertarian Paternalism: Does the Hand Fit the Glove? , 2016, European Journal of Risk Regulation.

[44]  Helen Nissenbaum,et al.  Software agents and user autonomy , 1997, AGENTS '97.

[45]  James Turland,et al.  Aiding information security decisions with human factors using quantitative and qualitative techniques , 2016 .

[46]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[47]  C. Sunstein,et al.  Fifty Shades of Manipulation , 2015 .

[48]  Bongshin Lee,et al.  Nudging People Away from Privacy-Invasive Mobile Apps through Visual Framing , 2013, INTERACT.

[49]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[50]  Aad van Moorsel,et al.  Nudging whom how: Nudging whom how: IT proficiency, impulse control and secure behaviour , 2014 .

[51]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[52]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[53]  Cass R. Sunstein,et al.  Nudges that fail , 2017, Behavioural Public Policy.

[54]  Charles Morisset,et al.  Modeling and analysis of influence power for information security decisions , 2016, Perform. Evaluation.

[55]  Bert Gordijn,et al.  Autonomy, free will and embodiment , 2010, Medicine, health care, and philosophy.

[56]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[57]  G. Zipf,et al.  Human Behavior and the Principle of Least Effort: An Introduction to Human Ecology. , 1949 .

[58]  Karen Renaud,et al.  Blaming Noncompliance Is Too Convenient: What Really Causes Information Breaches? , 2012, IEEE Security & Privacy.

[59]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[60]  Matt Bishop Best Practices and Worst Assumptions , 2005 .

[61]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[62]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[63]  Chicago Unbound Libertarian Paternalism Is Not an Oxymoron , 2003 .

[64]  Daniel Nettle,et al.  Do Images of ‘Watching Eyes’ Induce Behaviour That Is More Pro-Social or More Normative? A Field Experiment on Littering , 2013, PloS one.

[65]  Mark Ciampa,et al.  A comparison of password feedback mechanisms and their impact on password entropy , 2013, Inf. Manag. Comput. Secur..

[66]  Anna Papst Unix System Security A Guide For Users And System Administrators , 2016 .

[67]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[68]  Keyur Shah PHISHING: AN EVOLVING THREAT , 2015 .

[69]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[70]  Karen Renaud,et al.  Lessons Learned from Evaluating Eight Password Nudges in the Wild , 2017 .

[71]  Donald A. Norman,et al.  How might people interact with agents , 1994, CACM.

[72]  Karen Renaud,et al.  Feedback in human-computer interaction - characteristics and recommendations , 2000, South Afr. Comput. J..

[73]  Guus Pijpers Information Overload: A System for Better Managing Everyday Data , 2010 .

[74]  Alessandro Acquisti,et al.  Nudging Users Towards Privacy on Mobile Devices , 2011 .

[75]  Pelle Guldborg Hansen,et al.  Nudge and the Manipulation of Choice , 2013, European Journal of Risk Regulation.

[76]  Andreas Sotirakopoulos,et al.  Influencing user password choice through peer pressure , 2011 .

[77]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[78]  Jess Benhabib,et al.  Present-bias, quasi-hyperbolic discounting, and fixed costs , 2010, Games Econ. Behav..

[79]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[80]  Cass R. Sunstein,et al.  Nudges Do Not Undermine Human Agency , 2015, Journal of Consumer Policy.

[81]  M. Verweij,et al.  Nudges in Public Health: Paternalism Is Paramount , 2012, The American journal of bioethics : AJOB.

[82]  S. Breznitz Cry Wolf: The Psychology of False Alarms , 1984 .

[83]  D. Stokols,et al.  Psychological and Health Outcomes of Perceived Information Overload , 2012 .

[84]  Yashar Saghai,et al.  Salvaging the concept of nudge , 2013, Journal of Medical Ethics.

[85]  B. Fisher,et al.  Richard H. Thaler and Cass R. Sunstein: Nudge: Improving Decisions About Health, Wealth, and Happiness , 2010 .

[86]  L. Tam,et al.  The psychology of password management: a tradeoff between security and convenience , 2010, Behav. Inf. Technol..

[87]  Chun-Ying Huang,et al.  Using one-time passwords to prevent password phishing attacks , 2011, J. Netw. Comput. Appl..

[88]  Adam Oliver,et al.  Is nudge an effective public health strategy to tackle obesity? Yes , 2011, BMJ : British Medical Journal.

[89]  J. Bargh,et al.  Of men and mackerels: Attention and automatic behavior , 2000 .

[90]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[91]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[92]  Kenton O'Hara,et al.  Planning and the user interface: the effects of lockout time and error recovery cost , 1999, Int. J. Hum. Comput. Stud..

[93]  Barack Obama,et al.  Executive Order 13707: Using Behavioral Science Insights To Better Serve the American People , 2015 .