Password Strength Meters using Social Influence

Millions of people now use password strength meter when the user starts to sign up a service. The impact on password strength meter has been evaluated for several aspects. However, it is believed that there are still ways to design more e ective password strength meters. Recently, Das et al shows that social in uence or social proof is e ective to adopt security features[1, 2, 3]. It seems that social in uence is also e ective for password strength meters. Actually, Egelman, et al partially shows its e ectiveness[4]. In this poster, we prepare ve types of password strength meters using social in uence and evaluate them. First one is bar-type password strength meters, which has 2 meters on screen showing user's password strength and similar users' score (Fig. 2). In this case, similar means users who have same attributes like age, job, etc. Second one is also bartype similar to First one. It has 2 meters on screen showing user's password strength and the average score of all users (Fig. 3). Third one shows score itself, which 2 values on screen showing the user's score and similar users' score (Fig. 4). Fourth one shows icons on bar-type meter. A running man shows the user's score and a ag shows similar users' score (Fig. 5). Fifth one is tachometer showing the user's score by a hand and area of similar users' score by dashed line (Fig. 6). We conduct user study to measure e ectiveness of proposed meters by using Japanese crowdsourcing service Lancers, which is a similar service to Amazon Mechanical Turk. 100 users are attended to each study. Totally 700 users are attended. 50 Japanese yen has been paid for a task. This user study is conducted from Dec. 30th, 2014 to Jan. 29th, 2015. We did not gather plain password itself, but score calculated by Javascript in the user's browser, length of password, number of digits in the password, number of upper cases in the password, number of lower cases in the password and number of symbols in the password. Table 1 shows the average score on each meter. The score is calculated using the way of scoring on Ur's paper [5]. Table 2 shows the construction of passwords on each meter. Table 3 shows P-value which is result of Kruscal-Wallis testing between basic password strength meter and each proposed meter. The results show stronger social in uence re ects stronger password strength.