Understanding and measuring password management behaviour

Recent research has shown that people continue to exhibit risky password behaviour despite public advice campaigns on secure password behaviour. However, little attention has been given to understand why people persist in risky password behaviour, and how people perceive the risks and the benefits when they undertake password related activities. In this programme of research, I conducted five studies to understand people’s risk perceptions on password related activities; both qualitative and quantitative methodologies were employed, particularly online surveys using the Mechanical Turk crowdsourcing service. To check whether respondents were susceptible to social desirability in their answers, they completed the short version of Marlowe-Crowne social desirability scale. I also gathered feedback from senior researchers working in the area of usable security, to assess whether the range of behaviours and domains represented a good coverage of the password management space. The research makes a number of contributions, including a greater understanding of people’s password management behaviour, including generational differences in these behaviours; people’s perceptions of the risks of a range of password management behaviours; and the relationships between the perceptions of risk, benefit, and the likelihood of engaging in different password management activities. The research also presents valuable information to help researchers and usable security practitioners understand how people’s perceptions affect their management of their passwords. Finally, this programme of research proposes an initial version of a scale for assessing the perception of the risks of different password management behaviour. Future work is required to appropriately validate the scale. It can then be used in further research to investigate people’s understanding of and attitudes towards risk in the area of password management.