Persuasion for Stronger Passwords: Motivation and Pilot Study

  • Alain Forget
  • Sonia Chiasson
  • P. C. van Oorschot
  • Robert Biddle
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5033)


Text passwords are the ubiquitous method of authentication, used by most people for most online services. Many people choose weak passwords that are vulnerable to attackers who simply guess all the passwords within the most probable password spaces. This paper describes a lightweight password creation mechanism that uses Persuasive Technology to influence users to create stronger passwords. Results from a pilot study show that our Persuasive Text Passwords (PTP) prototype system successfully influenced users to create and remember more secure passwords.


authentication computer security passwords Persuasive Technology usable security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adams, A., Sasse, M.A.: Users Are Not The Enemy. Communications of the ACM 42(12), 41–46 (1999)CrossRefGoogle Scholar
  2. 2.
    Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63, Version 1, pp. 1–53 (2004)Google Scholar
  3. 3.
    Forget, A., Chiasson, S., Biddle, R.: Persuasion as Education for Computer Security. In: Association for the Advancement of Computing in Education (AACE) E-Learn, pp. 822–829 (2007)Google Scholar
  4. 4.
    Chiasson, S., van Oorschot, P.C., Biddle, R.: A Usability Study and Critique of Two Password Managers. In: 15th USENIX Security Symposium, pp. 1–16 (2006)Google Scholar
  5. 5.
    Florencio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: 16th International World Wide Web Conference (WWW), pp. 657–666 (2007)Google Scholar
  6. 6.
    Fogg, B.J.: Persuasive Technology: Using Computers to Change What We Think and Do. Morgan Kaufmann, San Francisco (2003)Google Scholar
  7. 7.
    Furnell, S.: An assessment of website password practices. J. Computers & Security 26(7-8), 445–451 (2007)Google Scholar
  8. 8.
    Gasser, R., Brodbeck, D., Degen, M., Luthiger, J., Wyss, R., Reichlin, S.: Persuasiveness of a Mobile Lifestyle Coaching Application Using Social Facilitation. In: IJsselsteijn, W., de Kort, Y., Midden, C., Eggen, B., van den Hoven, E. (eds.) PERSUASIVE 2006. LNCS, vol. 3962, pp. 27–38. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Kuo, C., Romanosky, S., Cranor, L.F.: Human Selection of Mnemonic Phrase-based Passwords. In: 2nd Symposium on Usable Privacy and Security (SOUPS), pp. 67–78 (2006)Google Scholar
  10. 10.
    Lucero, A., Zuloaga, R., Mota, S., Muñoz, F.: Persuasive Technologies in Education: Improving Motivation to Read and Write for Children. In: IJsselsteijn, W., de Kort, Y., Midden, C., Eggen, B., van den Hoven, E. (eds.) PERSUASIVE 2006. LNCS, vol. 3962, pp. 142–153. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Peterson, L.R., Peterson, M.J.: Short-term retention of individual verbal items. J. Experimental Psychology 58(3), 193–198 (1959)CrossRefGoogle Scholar
  12. 12.
    Sasse, M.A.: Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery. In: ACM CHI 2003 Workshop on HCI and Security Systems (2003)Google Scholar
  13. 13.
    Shostack, A., Syverson, P.: What Price Privacy (and why identity theft is about neither identity nor theft). In: Camp, L.J., Lewis, S. (eds.) Economics of Information Security, pp. 129–142. Kluwer Academic, Norwell (2004)CrossRefGoogle Scholar
  14. 14.
    Solar Designer: John the Ripper password cracker (2006) (accessed, March 2008),
  15. 15.
    Sterns, A., Mayhorn, C.: Persuasive Pillboxes: Improving Medication Adherence with Personal Digital Assistants. In: IJsselsteijn, W., de Kort, Y., Midden, C., Eggen, B., van den Hoven, E. (eds.) PERSUASIVE 2006. LNCS, vol. 3962, pp. 195–198. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Weirich, D., Sasse, M.A.: Pretty Good Persuasion: A first step towards effective password security in the real world. In: 7th New Security Paradigms Workshop, pp. 137–143 (2001)Google Scholar
  17. 17.
    Whitten, A., Tygar, J.D.: Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In: 8th USENIX Security Symposium, pp. 169–183 (1999)Google Scholar
  18. 18.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password Memorability and Security: Empirical Results. IEEE Security & Privacy Magazine 2(5), 25–31 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Alain Forget
    • 1
    • 2
  • Sonia Chiasson
    • 1
    • 2
  • P. C. van Oorschot
    • 1
  • Robert Biddle
    • 2
  1. 1.School of Computer ScienceCarleton UniversityOttawaCanada
  2. 2.Human-Oriented Technology LabCarleton UniversityOttawaCanada

Personalised recommendations