Skip to main content
Log in

The importance of social identity on password formulations

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Passwords are regarded as the most common authentication mechanism used by Web-based services, despite large-scale attacks and data breaches regularly exploiting password-associated vulnerabilities. We investigate the trends behind password formulation in an exploratory study to postulate that social identity and language play a major role in users’ general attitude toward formulating passwords. For this, we conduct a descriptive analysis of two publicly available datasets containing real username and password combinations to determine whether these socio-cultural factors play a formative role in how users formulate their passwords across countries. The preliminary results confirm that both these elements contribute to increased vulnerabilities associated with passwords. The novelty of our work lies in the exploratory investigation of identifiable trends in password formulation with regard to social context (language and identity influences) and technical context (particularly password structure). The impact of our study is a move toward a better understanding of human behavior in the context of password formulation specifically, to enable the future crafting of more targeted cybersecurity interventions that would lead to positive online behavioral change.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. We assume that the official language specified is used throughout each country although different regions may use dialects or a completely different language altogether.

  2. https://databases.today/

  3. https://databases.today/

  4. https://haveibeenpwned.com/Passwords has a collection of more than 551 million breached passwords, providing real user data to security researchers.

  5. Calculations of password entropy were made based on the NIST standards [12] detailed in Section 3.2.1.

References

  1. Christopher JD (2014) Cybersecurity capability maturity model. Department of Homeland Security

  2. Adams A, Sasse M (1999) Users are not the enemy. Commun ACM 42(12):40–46

    Article  Google Scholar 

  3. De Donno M, Dragoni N, Giaretta A, Spognardi A (2018) DDoS-capable IoT malwares: comparative analysis and mirai investigation. Security and Communication Networks

  4. Kolias C, Kambourakis G, Stavrou S, Voas J (2017) DDoS in the IoT: Mirai and other botnets. Computer 50(7):80–84

    Article  Google Scholar 

  5. Malderle T, Wubbeling M, Knauer S, Sykosch A, Meier M (2018) Gathering and analyzing identity leaks for a proactive warning of affected users. In: Proceedings of the 15th ACM international conference on computing frontiers. pp 208–2011, ACM

  6. Wu T, Yang Y, Wang C, Wang R (2019) Study on massive-scale slow-hash recovery using unified probabilistic context-free grammar and symmetrical collaborative prioritization with parallel machines. Symmetry 11:1–20

    MATH  Google Scholar 

  7. Braz C, Seffah A, M’Raihi D (2007) Designing a trade-off between usability and security: a metrics based-model. In: IFIP Conference on human-computer interaction, pp 114–126, Springer

  8. Gunson N, Marshall D, Morton H, Jack M (2011) User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Comput Secur 30(4):208–220

    Article  Google Scholar 

  9. Anderson CL (2015) Review of national identity programs Pierre Biscaye, Sarah Coney, Eugenia Ho EPAR request no. 306 Brian Hutchinson, Mia Neidhardt C. Leigh Anderson & Travis Reynolds prepared for the Focus Group on Digital Financial Services of the International Telecommunication Union and the Financial Services. Leigh Anderson & Travis Reynolds Prepared for the Focus Group on Digital Financial Services of the International Telecommunication Union and the Financial Services

  10. Wolfond G (2017) A blockchain ecosystem for digital identity: improving service delivery in Canada’s public and private sectors. Technol Innov Manage Rev 10:7

    Google Scholar 

  11. Petrie H, Merdenyan B (2016) Cultural and gender differences in password behaviors: evidence from China, Turkey and the UK. In: Proceedings of the 9th Nordic conference on human-computer interaction. pp 1–10

  12. Grassi P, Fenton J, Newton E, Perlner R, Regenscheid A, Burr W, Richer J, Lefkovitz N, Danker J, Choong Y et al (2017) Nist special publication 800-63b. digital identity guidelines: authentication and lifecycle management, Bericht NIST

  13. Öğütçü G, Testik ÖM, Chouseinoglou O (2016) Analysis of personal information security behavior and awareness. Comput Secur 56:83–93

    Article  Google Scholar 

  14. Genc ZA, Kardaş S, Kiraz MS (2017) Examination of a new defense mechanism: honeywords. In: IFIP International conference on information security theory and practice. pp 130–139, Springer

  15. Bosnjak L, Brumen B (2016) What do students do with their assigned default passwords?. In: 2016 39th International convention on information and communication technology, electronics and microelectronics (MIPRO). pp 1430–1435

  16. Van Schaik P, Jeske D, Onibokun J, Coventry L, Jansen J, Kusev P (2017) Risk perceptions of cyber-security and precautionary behaviour. Comput Human Behav 75(2017):547–559

    Article  Google Scholar 

  17. Haeussinger F, Kranz J (2017) Antecedents of employees’ information security awareness-review, synthesis, and directions for future research. European Conference on Information Systems (ECIS)

  18. Abbott J, Garcia V (2015) Password differences based on language and testing of memory recall. NNGT Int J Inf Secur 2:1–6

    Google Scholar 

  19. McEvoy P, Still JD (2016) Contextualizing mnemonic phrase passwords. In: Advances in human factors in cybersecurity. pp 295–304, Springer

  20. Ur B, Noma F, Bees J, Segreti S, Shay R, Bauer L, Christin N, Cranor L (2015) I added ‘!’ at the end to make it secure: observing password creation in the lab. In: Eleventh symposium on usable privacy and security (SOUPS 2017) USENIX association

  21. Devillers M (2010) Analyzing password strength, Radboud University Nijmegen, Tech. Rep, vol. 2

  22. Tam L, Glassman M, Vandenwauver M (2010) The psychology of password management: a tradeoff between security and convenience. Behav Inf Technol 29(3):233–244

    Article  Google Scholar 

  23. Stobert E, Biddle R (2014) The password life cycle: user behaviour in managing passwords. In: Tenth symposium on usable privacy and security (SOUPS 2017) USENIX association

  24. Bartsch S, Sasse A (2013) How users bypass access control - and why: the impact of authorization problems on individuals and the organization. In: European conference on information systems (ECIS)

  25. Gao X, Yang Y, Liu C, Mitropoulos C, Lindqvist J (2018) Forgetting of passwords: ecological theory and data. Proceedings of the 27th USENIX security symposium 28(2018):47–62

    Google Scholar 

  26. Ruoti S, Monson T, Wu J, Zappala D, Seamons K (2017) Weighing context and trade-offs: how suburban adults selected their online security posture. In: Thirteenth symposium on usable privacy and security (SOUPS 2017) USENIX association

  27. Liu Z, Hong Y, Pi D (2014) A large-scale study of Web password habits of Chinese network users. J Soc Work 9(2):293–297

    Google Scholar 

  28. Song P, Wei Phang C (2016) Promoting continuance through shaping members’ social identity in knowledge-based versus support/advocacy virtual communities. IEEE Transactions on Engineering Management 63(1):16–26

    Article  Google Scholar 

  29. Yan Q, Wu L, Yi L (2012) Influence of social identity on information release in microblog. 2012 Second International Conference on Intelligent System Design and Engineering Application

  30. Fahl S, Harbach M, Acar Y, Smith M (2013) On the ecological validity of a password study. In: Ninth symposium on usable privacy and security (SOUPS 2013) USENIX association

  31. HackRead (2017) Anti public combo list with billions of accounts leaked

  32. Choudhary R (2017) Anti public combo list, leaked email passwords check have you been pwned

  33. International Assigned Numbers Authority Root zone database

  34. Burr W, Dodson D, Newton E, Perlner R, Polk W, Gupta S, Nabbus E (2013) Nist special publication 800-63-2. electronic authentication guideline, Computer Security Resource Center NIST

  35. Anderson C (2018) Top 10 most spoken languages in the world

  36. Yujian L, Bo L (2007) A normalized Levenshtein distance metric. IEEE Trans Pattern Anal Mach Intell 29(6):1091–1095

    Article  Google Scholar 

  37. Campbell M (2018) Behind the name: meaning of names, baby name meanings

  38. Haunts S (2019) What are data breaches?. Applied Cryptography in.NET and Azure Key Vault 1–10

  39. Rodrigues B, Paiva J, Gomes V, Morris C, Calixto W (2017) Passfault: an open source tool for measuring password complexity and strength, Orlando, Florida, Mar

  40. LastPass (2020) Psychology of passwords: The online behavior that’s putting you at risk. https://lp-cdn.lastpass.com/lporcamedia/document-library/lastpass/pdf/en/LastPass-B2C-Assets-Ebook.pdf/. Available at https://lp-cdn.lastpass.com/lporcamedia/documentlibrary/lastpass/pdf/en/LastPass-B2C-Assets-Ebook.pdf/

Download references

Acknowledgments

Jongkil Jay Jeong is supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government’s Cooperative Research Centres Program.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marthie Grobler.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Grobler, M., Chamikara, M.A.P., Abbott, J. et al. The importance of social identity on password formulations. Pers Ubiquit Comput 25, 813–827 (2021). https://doi.org/10.1007/s00779-020-01477-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-020-01477-1

Keywords

Navigation