Influencing humans to behave in a particular way is surprisingly hard. Spare a thought for King Henry VIII of England during the 16th century. In those days, people would urinate against the walls of his castle. The resulting smell was unpleasant, to say the least. The King and his entourage often had to move to a new castle when the castle became whiffy (in the words of the immortal Baldrick).
The King told his servants to paint large red crosses at the smelliest spots. He was hoping that this would stop the practice, because people would not dare to urinate on a religious symbol. This did not work – they seemed to relish having something to aim at.
Funnily enough, in recent years Schipol airport in Amsterdam painted a fly inside their urinals to give people something to aim at. In this case, the intervention reduced spillage.
Nudging
King Henry VIII’s red crosses might well be a medieval version of
Thaler and Sunstein’s “nudge”. Since their Nudge book was published in 2009, a number of governments (USA, UK, Australia), have established nudge units. They try to identify nudges that can be used to change unwise behaviors. The idea is that the nudge is a small manipulation of the “choice architecture” that aims to prompt people to choose the course of action the designer wants them to take. (The choice architecture is simply the environment within which the choice is made.)
Yet, as King Henry VIII found, changing behaviors is harder than it seems.
Password Choice
One of the most intractable behaviors in cyber security is the prevalent use of weak passwords. Hackers exploit weak passwords to get into people’s accounts. Information security practitioners used to think that this was because people didn’t know how to make a strong password. So they worked hard to ensure that knowledge about strong passwords was communicated to everyone.
This did not make the difference they hoped it would. Bridging the knowledge gap did not guarantee a change in behavior. Another idea was to issue people with strong passwords, to take human choice out of the equation altogether. But then people forget these passwords and might write them down.
Password Nudging
We started looking at choice architecture manipulations that might persuade folks to choose stronger passwords. Researchers had already experimented with the display of password strength meters to show people, as they typed, how strong their passwords were. This addressed the knowledge gap. Some researchers reported that these meters made people choose stronger passwords, but others found that they didn’t make much of a difference.
Over a two year period, we displayed a range of different pictures above the password entry field. None of these was effective – the overall password strength profile did not budge. In the third year of our study, we found a nudge that worked. Strong passwords are costly – they take longer to type and are harder to memorize. This means that people have no incentive to choose a strong password because it is far more expensive in terms of effort. People will always choose the path of least resistance – that’s just how we are made. A simple visual cue nudge did not have the power to overcome this human tendency.
Enriched Nudge
So, we injected power into our “enriched” nudge. We offered our participants an incentive to choose a stronger password. The stronger their password, the longer they could keep using it. We manipulated the choice architecture by displaying a wiener dog to make sure people got the message. As they typed, text displayed just below the password entry field told them how long it would be before the password expired. For example, the password “123456” would only be valid for 2 weeks, whereas a good password like “I ate 8 marshmallows at the BBQ” would only expire after 6 months.
In effect, instead of merely trying to nudge people with a visual cue, we actually offered them an incentive. After six months with the enriched nudge on the password choice page, people chose significantly stronger passwords.
Proviso
We do not believe that this nudge ought to be widely adopted for every possible account. It should only be used when something of real value is being protected, like a bank or email account. Strong passwords are costly, so we should do our best to help people match the strength of their password to the value of the asset it projects. This means that we have to ensure that the asset being protected is worth the time and effort required to manage the strong password.
In Conclusion …
Nudges do not address the root cause of weak passwords: human memory limitations. Henry VII’s problem disappeared when indoor plumbing became universal. While people have to remember their passwords, the tendency to choose weak passwords will persist. Hence judicious deployment of nudges for important accounts is the wiser option than widespread usage, which is likely to backfire.
Paper
Karen Renaud, Verena Zimmerman. Nudging Folks Towards Stronger Password Choices: Providing Certainty is the Key. Behavioural Public Policy. Volume 3, Issue 2, 12 February 2018, pp. 228-258. DOI: https://doi.org/10.1017/bpp.2018.3