Eryn Ma,Summer Hasama,Eshaan Lumba,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2201.01350

2022-01-04

Cryptography and Security

Abstract:User-chosen passwords remain essential to online security, and yet people continue to choose weak, insecure passwords. In this work, we investigate whether prospect theory, a behavioral model of how people evaluate risk, can provide insights into how users choose passwords and whether it can motivate new designs for password selection mechanisms that will nudge users to select stronger passwords. We ran a user study with 762 participants, and we found that an intervention guided by prospect theory -- which leverages the reference-dependence effect by framing selecting weak passwords as a loss relative to choosing a stronger password -- causes approximately 25% of users to improve the strength of their password (significantly more than alternative interventions) and reduced the final number of weak passwords by approximately 25%. We also evaluate the relation between user behavior and users' mental models of hacking and password attacks. These results provide guidance for designing and implementing account registration mechanisms that will significantly improve the strength of user-selected passwords, thereby leveraging insights from prospect theory to improve the security of systems that use password-based authentication.

Naomi Woods,Mikko Siponen

DOI: https://doi.org/10.1016/j.cose.2023.103589

IF: 5.105

2024-02-01

Computers & Security

Abstract:Password reuse and modification are insecure password behaviors that are becoming increasingly prevalent as users are obliged to remember more passwords to access various digital services. Many users adopt these risky behaviors as a memory strategy in the belief that they have too many passwords for their memories to cope with. One important avenue in password research is metamemory, which encompasses the knowledge and understanding of memory capabilities and strategies. Previous research on password metamemory has examined the role that metamemory plays in memory performance (i.e., how well memory performs) and password recall. However, no previous research to date has investigated whether password reuse and modification are adopted as memory strategies due to an increase in knowledge and understanding of metamemory. To address this gap, two survey studies (Study1: N = 50, Study 2: N = 303) were implemented to examine the role that password metamemory plays in reusing and modifying passwords. Our findings suggest that of all metamemory constructs, users’ anxiety regarding their perceived ability to remember passwords can influence them to reuse and modify their passwords. These findings have potentially important implications because with an enhanced understanding of how users’ anxiety towards remembering passwords influences their security behavior, this could identify means of reducing password reuse and modification, thereby increasing password security and ultimately reduce some of the consequences of insecure password behaviors.

computer science, information systems

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Ruti Gafni,Tal Pavel,Raz Margolin,Ben Weiss

DOI: https://doi.org/10.36965/ojakm.2017.5(1)27-41

2017-05-04

Online Journal of Applied Knowledge Management

Abstract:Passwords are the standard means of registration and access to Websites, information systems, online services and various social networks. Databases are increasingly breached and social engineering is employed to obtain usernames and passwords for online fraud, therefore, there is a need to secure existing passwords, and to create ones that will be more crack-resistant. This study addresses the issue of personal data, which users enter on social networks, and incorporate in passwords, as well as how tracking and identifying this data assists hackers in cracking these passwords. The study focuses on Facebook, conducting an online anonymous questionnaire among 195 respondents, and an experiment among a voluntary response sample of 72 participants, in which passwords were tried to been deciphered by a custom dictionary attack. The findings confirm a link between the use of accessible online personal data and success rates of password deciphering. The findings underscore the grave threat to users’ information security - not only as a result of their voluntary exposure of personal data on social networks, but also due to the integration of this data into their passwords. The study argues the need to emphasize users' awareness to their password strength, with this vulnerability in mind.

Christopher R. Sears,Daniel R. Cunningham

DOI: https://doi.org/10.3390/jcp4030028

2024-08-20

Journal of Cybersecurity and Privacy

Abstract:Data breach incidents are now a regular occurrence, with millions of people affected worldwide. Few studies have examined the psychological aspects of data breach experiences, however, or the individual differences that influence how people react to these events. In this study, we examined the psychological stress associated with a personal experience with a data breach and several individual differences hypothesized to modulate such stress (age, gender, digital security awareness and expertise, trait anxiety, negative emotionality, and propensity to worry). A student sample (N = 166) and a community sample (N = 359) completed an online survey that asked participants to describe their most serious data breach and then complete the Impact of Events Scale—Revised (IES-R) to answer specific questions about the nature of the stress they experienced after the breach. Standard measures of trait anxiety, negative emotionality, and propensity to worry were also completed. A Data Breach Severity Index (DBSI) was created to quantify the invasiveness and consequences of each participant’s data breach. Hierarchical multiple regression analyses were used to identify demographic variables and psychological characteristics predictive of IES-R scores while controlling for DBSI scores. As expected, more invasive and consequential data breaches were associated with higher IES-R scores (greater data-breach-induced stress). Women had higher IES-R scores than men, and this difference persisted after controlling for gender differences in anxiety, negative emotionality, and propensity to worry. Greater daily social media use was associated with higher IES-R scores, whereas higher digital security expertise was associated with lower IES-R scores. The results illuminate several relationships between demographic and psychological characteristics and data-breach-induced stress that should be investigated further.

computer science, information systems, interdisciplinary applications, software engineering

Tom Heyman,Robin Boere,Sebastiaan de Jong,Lotte Hoogeterp,Joyce Kraaijenbrink,Charlotte Kuipers,Martijn van Dijk,Lotte van Rijn,Twan van Wijk

DOI: https://doi.org/10.1525/collabra.35745

2022-01-01

Abstract:Stress is often associated with negative consequences, and this also applies in the context of memory retrieval. However, Smith, Hughes, et al. (2019) proposed that this relationship only holds for information stored in episodic memory, because it relies on the hippocampus. In contrast, conceptual knowledge is stored in semantic memory, which is associated with neocortical and striatal brain regions that are upregulated during stress. Indeed, Smith, Hughes, et al. (2019) found that people experiencing acute psychosocial stress performed better on a subsequent trivia questionnaire compared to a control group. Moreover, performance correlated positively with cortisol reactivity. These findings are important, novel, and perhaps somewhat surprising, hence it is important to establish their generalizability. The latter is accomplished in the present study through a multiverse analysis. The results showed that the effect is relatively robust to variations in the scoring rules for the trivia questionnaire, the type of statistical model being used, and the inclusion versus exclusion of gender as a covariate in the analyses. However, we obtained mostly null effects when using the change in psychological stress levels as a predictor variable, and/or when only considering questions that were actually answered. The latter finding in particular is worrisome as it might point to alternative explanations. That is, stress might improve performance, because participants are more engaged with the task or are more prone to guess, regardless of its (potential) impact on semantic memory retrieval. Hence, it is premature to conclude that stress enhances semantic memory.

psychology, multidisciplinary

Rahul Dubey,Miguel Vargas Martin

DOI: https://doi.org/10.1109/pst52912.2021.9647823

2021-12-13

Abstract:Passwords have been around for many decades and have tenaciously remained the primary means of identification and authentication. Assuming that the communication channel is not intercepted, the strength of security provided by passwords is largely dependent on two factors: password selection and password storage mechanism. While both areas have been looked into by researchers in the past, there is no consensus to suggest whether or not humanity has moved towards choosing stronger passwords, notwithstanding strong password enforcement policies. One of the key reasons behind this shortcoming is the lack of data about individual credentials in leaked datasets, which usually contain only usernames and passwords. To the best of our knowledge, we are the first researchers to enrich the attribute set of any user credential database, thus allowing deeper insights. We outline the method we devised for adding new attributes (time-stamp and source inference) to a dataset of 1.4 billion user credentials. Subsequently, we use our modified dataset to determine how passwords have evolved overtime with respect to strength and whether humankind as a whole has learned from its past mistakes.

Yiming Zhao,Wenting Li,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1109/BigDataService.2019.00029

2019-01-01

Abstract:Based on the ecological user memory, this paper establishes a security strategy model (SSM) to quantify the memory cost of passwords and the value of accounts to users in assword expiration strategy. This paper introduces the theory of human ecological memory to explain the memory cost of account password to users. We experiment on 304 users to prove that when users modify a single account, the security benefits of modifying a high-value account are greater for users. In the case of modifying multiple accounts, modifying accounts with password reuse will gain greater security for users. Experimental results show that when users modify password accounts, adding personal information can increase password strength to some extent while minimizing memory costs. In this paper, we for the first time use user ecological memory as one of the criteria to evaluate user security benefits, which might be the trend of future research on user behavior creating and password modification policy.

Chao Shen,Tianwen Yu,Haodi Xu,Gengshan Yang,Xiaohong Guan

DOI: https://doi.org/10.1016/j.cose.2016.05.007

IF: 5.105

2016-01-01

Computers & Security

Abstract:Due to increasing security awareness of password from the public and little attention on the characteristics of real-life passwords, it is thus natural to understand the current state of characteristics of real-life passwords, and to explore how password characteristics change over time and how earlier password practice is understood in current context. In this work, we attempt to present an in-depth and comprehensive understanding of user practice in real-life passwords, and to see whether the previous observations can be confirmed or reversed, based on large-scale measurements rather than anecdotal knowledge or user surveys. Specifically, we measure password characteristics on over 6 million passwords, in terms of password length, password composition, and password selection. We then make informed comparisons of the findings between our investigation and previously reported results. Our general findings include: (1) average password length is at least 12% longer than previous results, and 75% of our passwords have the length between 8 and 10 characters; (2) there is a significant increase of using only numbers as passwords, and easy-to-reach symbols are always the first choice when users added symbols into passwords; (3) there observes a remarkable increase (about 40%) of using combo-meaningful data as passwords, and a striking proportion of using the most common passwords or login names as passwords. Our investigation also includes collecting statistics about the use of symbols, letter-case, and meaningful details, which presents a systematic analysis of password usage. The comparative results indicate that the password characteristics and password practice on this massive password data set are somewhat inconsistent with those from anecdotal knowledge and user surveys, and exhibit a substantial change over time in some ways. Further research needs to build upon this understanding for gaining insight into how password security can be improved.

Alaa Nehme,Meng (Leah) Li,Merrill Warkentin

DOI: https://doi.org/10.1016/j.cose.2024.103941

IF: 5.105

2024-06-08

Computers & Security

Abstract:Robust password management is crucial for users' information security. The use of password manager technology, which constitutes adaptive coping, is the dominant method for robust password management. Nonetheless, many users engage in maladaptive coping, adopting poor password management behaviors, such as using easy-to-remember passwords and using the same password across multiple accounts. Against this backdrop, this paper considers both adaptive and maladaptive coping factors for studying password manager use. As such, we incorporate the adaptive coping factor of password manager trustworthiness and the maladaptive coping factor of password mismanagement convenience into a research model that draws upon Hope-extended Protection Motivation Theory. We tested our model with a survey of US users. Our main findings indicate that password manager trustworthiness drives users' appraised coping potential and that password mismanagement convenience has a context-specific (i.e., specific to the password manager use context) intricacy in how it reduces password manager use. Our theoretical contributions include expanding the range of Protection Motivation Theory's input sources, expanding the range of the studied context-specific factors in the password manager use context, and unveiling the uniqueness of the password manager context. This work also informs practice, especially with respect to how messages that aim to promote password manager use may be designed.

computer science, information systems

Nina M. Ehrhardt,Julia Fietz,Johannes Kopf‐Beck,Nils Kappelmann,Anna‐Katharine Brem

DOI: https://doi.org/10.1111/ejn.15211

IF: 3.698

2021-05-03

European Journal of Neuroscience

Abstract:<p>The prefrontal cortex is a key player in stress response regulation. Electroencephalographic (EEG) responses, such as a decrease in frontal alpha and an increase in frontal beta power, have been proposed to reflect stress‐related brain activity. However, the stress response is likely composed of different parts such as cognitive effort, time pressure, and social‐evaluative threat, which have not been distinguished in previous studies. This distinction, however, is crucial if we aim to establish reliable tools for early detection of stress‐related conditions and monitoring of stress responses throughout treatment. This randomized cross‐over study (<i>N</i> = 38) aimed to disentangle EEG correlates of stress. With linear mixed models accounting for missing values in some conditions, we found a decrease in frontal alpha and increase in beta power when performing the Paced Auditory Serial Addition Test (PASAT; cognitive effort; <i>n</i> = 32) compared to resting state (<i>n</i> = 33). No change in EEG power was found when the PASAT was performed under time pressure (<i>n</i> = 29) or when adding social‐evaluative threat (video camera; <i>n</i> = 29). These findings suggest that frontal EEG power can discriminate stress from resting state but not more fine‐grained differences of the stress response.</p>

neurosciences

Liangying Liu,Jianhui Wu,Haiyang Geng,Chao Liu,Yuejia Luo,Jing Luo,Shaozheng Qin

DOI: https://doi.org/10.1093/cercor/bhab393

IF: 4.861

2021-12-06

Cerebral Cortex

Abstract:Abstract Long-term stress has a profound impact on executive functions. Trait anxiety is recognized as a vulnerable factor accounting for stress-induced adaptive or maladaptive effects. However, the neurocognitive mechanisms underlying long-term stress and trait anxiety interactions remain elusive. Here we investigated how long-term stress and trait anxiety interact to affect dynamic decisions during n-back task performance by altering functional brain network balance. In comparison to controls, participants under long-term stress experienced higher psychological distress and exhibited faster evidence accumulation but had a lower decision-threshold when performing n-back tasks in general. This corresponded with hyper-activation in the anterior insula, less deactivation in the default-mode network, and stronger default-mode network decoupling with the frontoparietal network. Critically, high trait anxiety under long-term stress led to slower evidence accumulation through higher frontoparietal activity during cognitively demanding task, and increased decoupling between the default-mode and frontoparietal networks. Our findings suggest a neurocognitive model of how long-term stress and trait anxiety interplay to affect latent dynamic computations in executive functioning with adaptive and maladaptive changes, and inform personalized assessments and preventions for stress vulnerability.

neurosciences

Mingming Qi,Ru Gai,Heming Gao

DOI: https://doi.org/10.1177/17470218231171481

IF: 2.138

2023-05-04

Quarterly Journal of Experimental Psychology

Abstract:Quarterly Journal of Experimental Psychology, Ahead of Print. This study investigated whether chronic academic stress could affect the directed forgetting (DF) process. Both the stress group (undergoing preparation for a major academic examination) and the control group performed a DF task. A forgetting cue was presented after a to-be-forgotten (TBF) word, whereas no cue appeared after a to-be-remembered (TBR) item in the study phase. An old/new recognition test was used in the test phase. The results showed that (1) the stress group showed a higher level of self-reported stress, state anxiety, negative affect, and decreased cortisol awakening response (CAR) compared with the control group, suggesting a higher level of stress for the stress group. (2) Both groups showed superior recognition performance of TBR than TBF items, suggesting a DF effect. (3) The stress group showed inferior recognition performance of TBF items and an enhanced DF effect compared with the control group. These results demonstrated that the intentional memory control process might be enhanced under chronic academic stress.

psychology, experimental,physiology

Adam Abdulla

DOI: https://doi.org/10.1177/00332941241231210

IF: 2.3

2024-02-29

Psychological Reports

Abstract:Psychological Reports, Ahead of Print. It is widely assumed that the term "weakness" has negative psychological effects and should be replaced by "area for improvement." The present study is the first to examine the matter experimentally. It was hypothesised that effects of "weakness" (vs. "area for improvement") are most pronounced in those with low perceived self-efficacy in the relevant domain. Two experiments were conducted in the domain of self-regulation. In those with low perceived self-efficacy for self-regulation (PSESR), "weakness" apparently had a negative indirect effect on improvement expectancy by increasing the perceived stability (Experiment 1) or lowering the perceived controllability (Experiment 2) of the problem. Moreover, at low levels of PSESR in Experiment 2, estimated indirect effects of "weakness" on perceived value of improvement were both positive and negative. However, gender apparently moderated those effects. "Weakness" apparently lowered perceived controllability in both males and females but in women the negative effect was more pronounced when PSESR was low. In addition, "weakness" apparently increased perceived internality in males with low PSESR. Compared to "area for improvement," "weakness" may indeed have some (negative) psychological effects in people with low perceived self-efficacy in the relevant domain. Given the ubiquity of these terms in evaluative contexts and the widespread fears of the term "weakness," more experimental research needs to be conducted.

psychology, multidisciplinary

Jeremiah Blocki,Ben Harsha,Samson Zhou

DOI: https://doi.org/10.48550/arXiv.2006.05023

2020-06-09

Abstract:We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with $10^5$ hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -- if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of $500$ million cracked passwords is less than $100$ times the total value of $5$ million passwords). See paper for full abstract.

Cryptography and Security

Isabelle Blanchette,Anne Richards

DOI: https://doi.org/10.1037/a0029520

IF: 5.564

2013-01-01

Emotion

Abstract:In two experiments, we examined affective responses and attentional bias toward threat. We compared three dimensions of affective responses (subjective, expressive, physiological) to negative and neutral stimuli in high and low anxious participants and examined whether these responses correlated with attentional interference in an emotional Stroop task. We used an evaluative conditioning procedure to manipulate the affective value of stimuli subsequently used in a Stroop task. We measured facial EMG (Experiment 1), skin conductance (Experiment 2), and subjective evaluations (both experiments). High anxious participants displayed Stroop interference from negatively conditioned stimuli. Both high and low anxious participants showed increased facial expressions and physiological arousal to negatively conditioned stimuli during the Stroop task. Findings suggest that differences between high and low anxious participants are more important in the cognitive processing of threat than affective reactions to threat.

psychology, experimental

Derrick Ganye,Kane Smith

DOI: https://doi.org/10.1108/intr-04-2023-0329

IF: 5.9

2024-05-25

Internet Research

Abstract:Purpose Enforcing employee compliance with information systems security policies (ISSP) is a herculean task for organizations as security breaches due to non-compliance continue to soar. To improve this situation, researchers have employed fear appeals that are based on protection motivation theory (PMT) to induce compliance behavior. However, extant research on fear appeals has yielded mixed findings. To help explain these mixed findings, the authors contend that efficacy formation is a cognitive process that is impacted by the cognitive load exerted by the design of fear appeal messages. Design/methodology/approach The study draws on cognitive load theory (CLT) to examine the effects of intrinsic cognitive load, extraneous cognitive load and germane cognitive load on stimulating an individual's efficacy and coping appraisals. The authors designed a survey to collect data from 359 respondents and tested the model using partial least squares. Findings The analysis showed significant relationships between cognitive load (intrinsic, extraneous, and germane) and fear, maladaptive rewards, response costs, self-efficacy and response efficacy. Originality/value This provides support for the assertion that fear appeals impact the cognitive processes of individuals that then in turn can potentially affect the efficacy of fear and coping appraisals. These findings demonstrate the need to further investigate how individual cognition is impacted by fear appeal design and the resulting effects on compliance intention and behavior.

computer science, information systems,telecommunications,business

Juliet Rowe,Thomas Ferguson,Olave Krigolson

DOI: https://doi.org/10.18357/tar121202120178

2021-10-25

The Arbutus Review

Abstract:Stress may alter executive functioning by causing structural and functional changes to the brain. Sub-optimal decisions made under high levels of stress and anxiety may act as a mediator for stress-related health effects. We examined the effect of three personality traits–chronic stress, state anxiety, and trait anxiety–on updating working memory and feedback learning across 330 participants, using electroencephalography (EEG). We hypothesized a decrease in P300 (updating working memory) and reward positivity (feedback learning) amplitudes with increasing chronic stress and anxiety scores. The three personality traits were not correlated with reward positivity amplitudes. Additionally, chronic stress had no effect on P300 amplitudes. However, state and trait anxiety were negatively correlated with P300 amplitudes. Anxiety appears to impact working memory processes, and this effect was amplified with decreasing anxiety score quantiles to reflect the tails of the distribution. Our results are evidence of the beginnings of a correlation between anxiety and the neural correlates of decision-making, offering insight into anxiety-related adverse health outcomes.

Ronald N. Goodman,Jeremy C. Rietschel,Li-Chuan Lo,Michelle E. Costanzo,Bradley D. Hatfield

DOI: https://doi.org/10.1016/j.ijpsycho.2012.09.008

IF: 2.903

2013-02-01

International Journal of Psychophysiology

Abstract:The relationship between trait and state measures of frontal lobe EEG alpha-band asymmetry in regard to indexing the approach-withdrawal dimension of emotion is unclear. The comparative predictive power of these constructs to explain emotion regulation and cognitive performance was examined under varying degrees of emotional challenge. The Capability Model posits the neural underpinnings of the relative difference in electrical activity between the left and right frontal lobes as a situational mechanism possibly indexing prefrontal-amygdalar interactions and psychological state. EEG, skin conductance, heart rate and acoustic startle amplitude were collected during a working memory task under three increasing levels of stress (final level was threat of shock). During threat of shock participants with higher state asymmetry exhibited greater emotion regulation compared to those with lower scores as indexed by significant attenuation of eyeblink startle magnitudes. The trait measure of frontal EEG asymmetry failed to account for significant variability in emotion regulation. Results implicate state-specific relative left frontal lobe activity as having an adaptive role in the regulation of emotion during cognitive challenge, but only under conditions of sufficient stress.

psychology, experimental,physiology,neurosciences, biological

Kim M Caudwell,Sara Baldini,Gemma Calvezzi,Aidan Graham,Kasie Jackson,Isabella Johansson,Madeline Sines,Lee Wei Lim,Luca Aquili

DOI: https://doi.org/10.1016/j.physbeh.2023.114384

2023-12-01

Abstract:Individuals differ in their ability to learn from reinforcement and in avoiding punishment, which can be measured by the Probabilistic Selection Task (PST). Recently, some studies have demonstrated that this learning bias is regulated by the dopaminergic system, and that stress can differentially affect the use of positive (i.e., reinforcement) and negative (i.e., avoiding punishment) feedback. The current two studies examined whether performance on the PST can predict measures of goal-directed behaviour as assessed by a cognitive flexibility task (Wisconsin Card Sorting Test) and the acquisition of fear responses, when individuals are exposed to a stressor (Socially Evaluated Cold Pressor Test). A total of 26 and 59 healthy participants completed Experiments I and II, respectively. In those who were best at learning from reinforcement, stress increased the processing (i.e., higher skin conductance responses) of non-threatening stimuli during fear acquisition compared to the non-stressful condition, which was not recapitulated in those who were best at avoiding punishment. Additionally, PST performance did not interact with stress to modulate cognitive flexibility, although stress negatively impaired this domain, consistent with previous findings. Furthermore, independent of stress, both positive and negative learning biases were correlated with cognitive flexibility errors. Our results demonstrate that the PST has predictive value for better understanding the determinants of reinforcement and avoidance learning.