Password guidance can dramatically improve account security

Technology users who receive even basic guidance on passwords were dramatically better protected as a result

Technology users benefit dramatically from even basic guidance on creating passwords, a new study suggests.

The research led by the University of Plymouth found those who receive basic guidance were up to 40% more likely to make their accounts secure.

The study also found that participants given feedback on how likely a hacker could guess their passwords – and therefore access their confidential information – were up to 10 times more likely to change their original choice to something more secure.

At a time when the global cyber security threat is continuing to rise, password strength is more vital than ever.

The research was conducted by the University’s Centre for Security, Communications and Network Research (CSCAN), in conjunction with the Desautels Faculty of Management at McGill University and the Department of Computer Sciences at Purdue University.

Steve Furnell, Professor of Information Security and the Director of CSCAN, said: “Protecting personal and professional assets is no longer an optional duty. Despite the advance in security technology, the weakest link in the information security realm still lies in end-users so it is essential that more support is offered to try and overcome this.”

In one experiment, 300 users created an internet account but only some were offered guidance on choosing a password. Tips included using standard password meter, emojis or an emotive feedback message.    

The results showed that, in the group offered advice, only a third created a ‘weak’ password. In the group offered no advice, that figure rose to 75%.

The second experiment presented 500 participants with more specific security-related advice, including suggestions of how long it would take a hacker to crack their password. Those users created passwords that were up to 10 times stronger as a result.

As part of the study, researchers also demonstrated that several leading sites – including Facebook, Twitter and Amazon – continue to permit weak passwords practice, allowing combinations of the user’s first name and surname, a string of numbers such as “1234567890” and the word “password”.