{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T11:15:17Z","timestamp":1770290117449,"version":"3.49.0"},"reference-count":57,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,6,3]],"date-time":"2021-06-03T00:00:00Z","timestamp":1622678400000},"content-version":"vor","delay-in-days":153,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"U.S. National Science Foundation","doi-asserted-by":"crossref","award":["CNS-1116544"],"award-info":[{"award-number":["CNS-1116544"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000001","name":"U.S. National Science Foundation","doi-asserted-by":"crossref","award":["CNS-1115926"],"award-info":[{"award-number":["CNS-1115926"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,2,16]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Passwords are one of the most common security technologies that people use everyday. Choosing a new password is a security decision that can have important consequences for end users. Passwords can be long and complex, which prioritizes the security-focused aspects of a password. They can also be simple\u2014easy to create, remember, and use\u2014which prioritizes the usability aspects of the password. The tradeoff between password security versus usability represents competing constraints that shape password creation and use. We examined an ecologically valid dataset of 853 passwords entered a total of 2533 times by 134 users into 1010 websites, to test hypotheses about the impact of these constraints. We found evidence that choices about password complexity reflect an emphasis on security needs, but little support for the hypothesis that users take day-to-day ease of use of the password into account when creating it. There was also little evidence that password creation policies drive password choices.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab012","type":"journal-article","created":{"date-parts":[[2021,6,3]],"date-time":"2021-06-03T10:58:31Z","timestamp":1622717911000},"source":"Crossref","is-referenced-by-count":20,"title":["Prioritizing security over usability: Strategies for how people choose passwords"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4266-975X","authenticated-orcid":false,"given":"Rick","family":"Wash","sequence":"first","affiliation":[{"name":"Department of Media and Information, Michigan State University, East Lansing, MI 48824, USA"}]},{"given":"Emilee","family":"Rader","sequence":"additional","affiliation":[{"name":"Department of Media and Information, Michigan State University, East Lansing, MI 48824, USA"}]}],"member":"286","published-online":{"date-parts":[[2021,6,1]]},"reference":[{"key":"2021070819462656500_tyab012-B1","volume-title":"Passwords could be past tense by 2002","author":"Phillips"},{"key":"2021070819462656500_tyab012-B2","article-title":"Understanding password choices: how frequently entered passwords are re-used across websites","author":"Wash","year":"2016","journal-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS)"},{"key":"2021070819462656500_tyab012-B3","first-page":"228","author":"Sasse","year":"2014"},{"key":"2021070819462656500_tyab012-B4","doi-asserted-by":"crossref","first-page":"7","DOI":"10.1145\/1282100.1282105","article-title":"Security when people matter: structuring incentives for user behavior","volume-title":"ICEC \u201907: Proceedings of the Ninth International Conference on Electronic Commerce","author":"Wash","year":"2007"},{"key":"2021070819462656500_tyab012-B5","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1145\/2699390","article-title":"Passwords and the evolution of imperfect authentication","volume":"58","author":"Bonneau","year":"2015","journal-title":"Commun ACM"},{"key":"2021070819462656500_tyab012-B6","first-page":"3","volume-title":"Technology and Practice of Passwords","author":"Elizabeth","year":"2016"},{"key":"2021070819462656500_tyab012-B7","first-page":"327","author":"Ion","year":"2015"},{"key":"2021070819462656500_tyab012-B8","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3183341","article-title":"The password life cycle","volume":"21","author":"Stobert","year":"2018","journal-title":"ACM Trans Priv Secur"},{"key":"2021070819462656500_tyab012-B9","first-page":"538","article-title":"The science of guessing: analyzing an anonymized corpus of 70 million passwords","author":"Bonneau","year":"2012","journal-title":"IEEE Symposium on Security and Privacy San Francisco (CA): IEEE"},{"key":"2021070819462656500_tyab012-B10","doi-asserted-by":"crossref","first-page":"295","DOI":"10.1145\/3133956.3133973","volume-title":"The 2017 ACM SIGSAC Conference","author":"Pearman","year":"2017"},{"key":"2021070819462656500_tyab012-B11","doi-asserted-by":"crossref","first-page":"347","DOI":"10.1126\/science.146.3642.347","article-title":"Strong inference","volume":"146","author":"Platt","year":"1964","journal-title":"Science"},{"key":"2021070819462656500_tyab012-B12","doi-asserted-by":"crossref","DOI":"10.4324\/9780203994627","volume-title":"The Logic of Scientific Discovery","author":"Popper","year":"2005"},{"key":"2021070819462656500_tyab012-B13","first-page":"14","article-title":"Rethinking password policies","volume":"38","author":"Singer","year":"2013","journal-title":"login"},{"key":"2021070819462656500_tyab012-B14","author":"Burr","year":"2013"},{"key":"2021070819462656500_tyab012-B15","author":"Scarfone","year":"2009"},{"key":"2021070819462656500_tyab012-B16","doi-asserted-by":"crossref","DOI":"10.1145\/1837110.1837113","article-title":"Encountering stronger password requirements: user attitudes and behaviors","author":"Shay","year":"2010","journal-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS)"},{"key":"2021070819462656500_tyab012-B17","first-page":"173","volume-title":"The 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS)","author":"Mazurek","year":"2013"},{"key":"2021070819462656500_tyab012-B18","first-page":"523","volume-title":"IEEE Symposium on Security and Privacy (SP)","author":"Kelley","year":"2012"},{"key":"2021070819462656500_tyab012-B19","article-title":"Measuring real-world accuracies and biases in modeling password guessability","author":"Ur","year":"2015","journal-title":"USENIX Security Symposium"},{"key":"2021070819462656500_tyab012-B20","article-title":"Fast, lean, and accurate: modeling password guessability using neural networks","author":"Melicher","year":"2016","journal-title":"USENIX Security Symposium"},{"key":"2021070819462656500_tyab012-B21","first-page":"3748","volume-title":"ACM Conference on Human Factors in Computing (CHI)","author":"Ur","year":"2016"},{"key":"2021070819462656500_tyab012-B22","article-title":"\u201cI added \u2018!\u2019 at the end to make it secure\u201d: Observing password creation in the lab","volume-title":"USENIX Security Symposium","author":"Ur","year":"2015"},{"key":"2021070819462656500_tyab012-B23","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1016\/j.intcom.2011.03.007","article-title":"Using and managing multiple passwords: a week to a view","volume":"23","author":"Grawemeyer","year":"2011","journal-title":"Interact Comput"},{"key":"2021070819462656500_tyab012-B24","first-page":"71","article-title":"Passwords and perceptions","author":"Notoatmodjo","year":"2009","journal-title":"Proceedings of the Seventh Australasian Conference on Information Security (AISC), Wellington (New Zealand)"},{"key":"2021070819462656500_tyab012-B25","doi-asserted-by":"crossref","first-page":"173","DOI":"10.1145\/2435349.2435373","article-title":"A study of user password strategy for multiple accounts","author":"Taiabul Haque","year":"2013","journal-title":"Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY), San Antonio (TX): ACM"},{"key":"2021070819462656500_tyab012-B26","doi-asserted-by":"crossref","first-page":"415","DOI":"10.1016\/j.ijhcs.2012.02.008","article-title":"Rational security: Modelling everyday password use","volume":"70","author":"Duggan","year":"2012","journal-title":"J Hum Comput Stud"},{"key":"2021070819462656500_tyab012-B27","volume-title":"Technical Report","author":"Steves","year":"2014"},{"key":"2021070819462656500_tyab012-B28","volume-title":"Game Theory","author":"Fudenberg","year":"1991"},{"key":"2021070819462656500_tyab012-B29","doi-asserted-by":"crossref","first-page":"909","DOI":"10.2307\/2938166","article-title":"Comments on the interpretation of game theory","volume":"59","author":"Rubinstein","year":"1991","journal-title":"Econometrica"},{"key":"2021070819462656500_tyab012-B30","doi-asserted-by":"crossref","first-page":"1138","DOI":"10.1257\/00028280260344678","article-title":"Testing mixed-strategy equilibria when players are heterogeneous: the case of penalty kicks in soccer","volume":"92","author":"Chiappori","year":"2002","journal-title":"Am Econ Rev"},{"key":"2021070819462656500_tyab012-B31","volume-title":"The Evolution of Cooperation","author":"Axelrod","year":"2006","edition":"Reprint edition"},{"key":"2021070819462656500_tyab012-B32","first-page":"460","article-title":"Survival of the shortest: a retrospective analysis of influencing factors on password composition","author":"von Zezschwitz","year":"2013","journal-title":"Proceedings of Human\u2013Computer Interaction\u2014INTERACT"},{"key":"2021070819462656500_tyab012-B33","article-title":"How apple and amazon security flaws led to my epic hacking","author":"Honan","year":"2012","journal-title":"Wired"},{"key":"2021070819462656500_tyab012-B34","volume-title":"CCC Visioning Workshop on Grand Challenges in Sociotechnical Cybersecurity","author":"Wash","year":"2016"},{"key":"2021070819462656500_tyab012-B35","first-page":"383","volume-title":"ACM Conference on Human Factors in Computing (CHI)","author":"Inglesant","year":"2010"},{"key":"2021070819462656500_tyab012-B36","doi-asserted-by":"crossref","DOI":"10.1145\/1837110.1837124","article-title":"Where do security policies come from?","author":"Flor\u00eancio","year":"2010","journal-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS)"},{"key":"2021070819462656500_tyab012-B37","doi-asserted-by":"crossref","first-page":"2595","DOI":"10.1145\/1978942.1979321","article-title":"Of passwords and people: measuring the effect of password-composition policies","author":"Komanduri","year":"2011","journal-title":"Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI)"},{"key":"2021070819462656500_tyab012-B38","first-page":"1","volume-title":"Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, CHI \u201918","author":"Hanamsagar","year":"2018"},{"key":"2021070819462656500_tyab012-B39","author":"The Internet Archive Wayback Machine","year":"2018"},{"key":"2021070819462656500_tyab012-B40","author":"Webshrinker","year":"2018"},{"key":"2021070819462656500_tyab012-B41","doi-asserted-by":"crossref","first-page":"235","DOI":"10.1080\/00031305.2018.1527253","article-title":"Abandon statistical significance","volume":"73","author":"McShane","year":"2019","journal-title":"Am Statist"},{"key":"2021070819462656500_tyab012-B42","doi-asserted-by":"crossref","first-page":"672","DOI":"10.1177\/1541931215591146","article-title":"Memory and motor processes of password entry error","volume":"59","author":"Tamborello","year":"2015","journal-title":"Proceedings of the Human Factors and Ergonomics Society"},{"key":"2021070819462656500_tyab012-B43","first-page":"162","volume-title":"Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS \u201910","author":"Weir","year":"2010"},{"key":"2021070819462656500_tyab012-B44","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1108\/ICS-06-2016-0043","article-title":"Must I, can I? I don\u2019t understand your ambiguous password rules","volume":"25","author":"Greene","year":"2017","journal-title":"Inform Comput Secur"},{"key":"2021070819462656500_tyab012-B45","doi-asserted-by":"crossref","DOI":"10.1002\/9781394260645","volume-title":"Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method","author":"Dillman","year":"2014","edition":"4th edn."},{"key":"2021070819462656500_tyab012-B46","volume-title":"Scale Development: Theory and Applications. Number 26 in Applied Social Research Methods","author":"DeVellis","year":"2016"},{"key":"2021070819462656500_tyab012-B47","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1017\/S0140525X10000725","article-title":"Beyond WEIRD: towards a broad-based behavioral science","volume":"33","author":"Henrich","year":"2010","journal-title":"Behav Brain Sci"},{"key":"2021070819462656500_tyab012-B48","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.im.2012.04.002","article-title":"Motivating is security compliance: insights from habit and protection motivation theory","volume":"49","author":"Vance","year":"2012","journal-title":"Inform Manage"},{"key":"2021070819462656500_tyab012-B49","author":"CSID and Research Now","year":"2012"},{"key":"2021070819462656500_tyab012-B50","author":"Lord","year":"2018"},{"key":"2021070819462656500_tyab012-B51","first-page":"319","volume-title":"Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, SOUPS\u2019 19","author":"Pearman","year":"2019"},{"key":"2021070819462656500_tyab012-B52","first-page":"575","article-title":"Password portfolios and the finite-effort user: sustainably managing large numbers of accounts","author":"Flor\u00eancio","year":"2014","journal-title":"Proceedings of the 23rd USENIX Security Symposium"},{"key":"2021070819462656500_tyab012-B53","article-title":"Wash R. Identifying patterns in informal sources of security information","volume":"1","author":"Rader","year":"2015","journal-title":"J Cybersecur"},{"key":"2021070819462656500_tyab012-B54","first-page":"44","article-title":"An administrator\u2019s guide to internet password research","author":"Flor\u00eancio","year":"2014","journal-title":"Proceedings of the 28th USENIX Conference on Large Installation System Administration (LISA)"},{"key":"2021070819462656500_tyab012-B55","volume-title":"NDSS Workshop on Usable Security","author":"Kirlappos","year":"2014"},{"key":"2021070819462656500_tyab012-B56","article-title":"How does your password measure up?","author":"Ur","year":"2012","journal-title":"The Effect of Strength Meters on Password Creation. USENIX Security Symposium"},{"key":"2021070819462656500_tyab012-B57","first-page":"3775","volume-title":"ACM Conference on Human Factors in Computing (CHI)","author":"Ur","year":"2017"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab012\/38462200\/tyab012.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab012\/38462200\/tyab012.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,1]],"date-time":"2024-09-01T04:21:25Z","timestamp":1725164485000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab012\/6291418"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":57,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,2,16]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab012","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab012"}}