{"id":15383,"date":"2019-02-16T03:17:52","date_gmt":"2019-02-16T03:17:52","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=15383"},"modified":"2019-02-18T06:38:22","modified_gmt":"2019-02-18T06:38:22","slug":"a-secure-relationship-with-passwords-means-not-being-attached-to-how-you-pick-them","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/a-secure-relationship-with-passwords-means-not-being-attached-to-how-you-pick-them\/","title":{"rendered":"A secure relationship with passwords means not being attached to how you pick them"},"content":{"rendered":"

Merrill Warkentin<\/a>, Mississippi State University<\/a><\/em>; Karen Renaud<\/a>, Abertay University<\/a><\/em>, and Robert Otondo<\/a>, Mississippi State University<\/a><\/em><\/p>\n

When you are asked to create a password \u2013 either for a new online account or resetting login information for an existing account \u2013 you\u2019re likely to choose a password you know you can remember<\/a>. Many people use extremely basic passwords<\/a>, or a more obscure one they reuse across many sites<\/a>. Our research<\/a> has found that others \u2013 even ones who use different passwords for each site \u2013 have a method of devising them, for instance basing them all on a familiar phrase and making site-specific tweaks<\/a>.<\/p>\n

In all those cases, the people are creating weak passwords that are easily guessed \u2013 especially when up against automated password-cracking software that can test thousands of possibilities a second<\/a>. One reason for this weakness might well be their users\u2019 emotional connection to their preexisting password creation routine.<\/p>\n

Cybersecurity efforts often encourage people to choose stronger passwords, but rarely acknowledge the idea that people have this feeling of attachment. They focus on the measurable improvement in security without realizing they\u2019re trying to persuade people to switch to a less personal method<\/a>.<\/p>\n

\"\"<\/a>
There\u2019s a better way to choose a secure password.<\/span>
\nXKCD<\/a>, CC BY-SA<\/a><\/span><\/figcaption><\/figure>\n

Insecure tendencies<\/h2>\n

Passwords are key to cybersecurity<\/a> for people and companies. A single bad password can grant a hacker access to an entire network of computers and data-storage servers<\/a>.<\/p>\n

As a result, many computer systems force users to create new passwords regularly<\/a> \u2013 say, every 30 or 45 days \u2013 and require every password to contain capital letters, numbers and punctuation characters even though federal experts advise against<\/a> both of these practices. Regularly requiring people to choose new passwords that are hard to remember leads to unfortunate side effects. People could reuse a strong password<\/a> on several sites, or they could write down the new password \u2013 which is safe only if you trust the other people<\/a> who have access where you store the record.<\/p>\n

Training people to create secure passwords hasn\u2019t made much of a difference<\/a> to overall password security on the internet. People may not understand the risks<\/a> related to weak passwords \u2013 though some experts blame character flaws<\/a>, stupidity<\/a> or just plain indifference<\/a>.<\/p>\n

The endowment effect<\/h2>\n

Our research<\/a> has identified another explanation for why people choose weak passwords: People feel that they own, and are emotionally attached to, the way they usually create passwords. In behavioral economics, this kind of response is called the endowment effect<\/a>, in which people so overvalue their existing possessions<\/a> that they don\u2019t want to exchange them for other items<\/a> \u2013 even if the new item is better or more valuable.<\/p>\n

\"\"<\/a>
Seriously, it\u2019s time to replace this old clothes washer.<\/span>
\nDja65\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n

The endowment effect is usually applied to physical goods \u2013 and may help explain why your grandmother doesn\u2019t want to get a new washing machine to replace her decades-old one. Our research suggests that the same psychological process influences how people contemplate their password creation routines.<\/p>\n

In our study, we asked 419 participants how they created their passwords. Many used something they already knew, such as a pet name or their own birthday. Others had developed a personal system. They might have a root password and then personalize it for every different site, use a pattern on the keyboard or make up a silly sentence.<\/p>\n

When we probed more deeply, we found that people felt a sense of ownership and personal pride about their password creation routine. One said \u201cI think my way is a good system.\u201d In addition, we found that they overvalued their own method and felt threatened by suggestions that it was flawed.<\/p>\n

We provided a scenario where \u201cTerry\u201d derides \u201cPat\u2019s\u201d password creation routine, and then asked people how they thought Pat would react. The most popular responses were: becoming defensive, avoiding the conversation or withdrawing from it. All of these suggest that a critique of a personal password routine was perceived as an attack or a threat.<\/p>\n

These answers we found lined up perfectly with the endowment effect, including finding that the participants labored under the illusion that their passwords provided more protection than they actually did.<\/p>\n

More than just a habit<\/h2>\n

The attachment people feel to their password-choosing method is more than just a habit. Psychologically speaking, a habit is a behavior cued by an event<\/a> or an item in the environment \u2013 like brushing teeth before bed, washing hands before meals or switching off lights when leaving a room. They\u2019re often nearly automatic, and don\u2019t require a deliberate decision or much thought. Something that\u2019s a habit seems to occur naturally, without any deliberate decision triggering its activation.<\/p>\n

Choosing a password is different. It always requires deliberate and effortful cognition. That\u2019s what brings the endowment effect into play. Cybersecurity training programs should include information not only about how to choose<\/a> more secure passwords, but also should acknowledge that users may feel a sense of loss about the change.<\/p>\n

People won\u2019t pick stronger passwords just because they\u2019re asked to. If they feel their existing methods are being treated with disdain, they might perceive that as a personal attack, and become even less likely to adopt more secure practices.<\/p>\n

Instead, security experts should find ways to minimize users\u2019 sense of loss \u2013 and perhaps even encourage them to find a new emotional connection to a more secure method of choosing.\"The<\/p>\n

Merrill Warkentin<\/a>, James J. Rouse Endowed Professor of Information Systems, Mississippi State University<\/a><\/em>; Karen Renaud<\/a>, Professor of Cybersecurity, Abertay University<\/a><\/em>, and Robert Otondo<\/a>, Associate Professor of Information Systems, Mississippi State University<\/a><\/em><\/p>\n

This article is republished from The Conversation<\/a> under a Creative Commons license. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Merrill Warkentin, Mississippi State University; Karen Renaud, Abertay University, and Robert Otondo, Mississippi State University When you are asked to create a password \u2013 either for a new online account or resetting login information for an existing account \u2013 you\u2019re likely to choose a password you know you can remember. Many people use extremely basic […]<\/p>\n","protected":false},"author":44,"featured_media":15377,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3410],"tags":[4327,612,5898,793,5795,2288],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/15383"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=15383"}],"version-history":[{"count":2,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/15383\/revisions"}],"predecessor-version":[{"id":15397,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/15383\/revisions\/15397"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/15377"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=15383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=15383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=15383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}