{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T15:27:47Z","timestamp":1773329267988,"version":"3.50.1"},"reference-count":25,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2017,3,13]],"date-time":"2017-03-13T00:00:00Z","timestamp":1489363200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,3,13]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>The purpose of this research is to investigate user comprehension of ambiguous terminology in password rules. Although stringent password policies are in place to protect information system security, such complexity does not have to mean ambiguity for users. While many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects user comprehension of password rules.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>This research used a combination of quantitative and qualitative methods in a usable security study with 60 participants. Study tasks contained password rules based on real-world password requirements. Tasks consisted of character-selection tasks that varied the terms for non-alphanumeric characters to explore users\u2019 interpretations of password rule language, and compliance-checking tasks to investigate how well users can apply their understanding of the allowed character space.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Results show that manipulating password rule terminology causes users\u2019 interpretation of the allowed character space to shrink or expand. Users are confused by the terms \u201cnon-alphanumeric\u201d, \u201csymbols\u201d, \u201cspecial characters\u201d and \u201cpunctuation marks\u201d in password rules. Additionally, users are confused by partial lists of allowed characters using \u201ce.g.\u201d or \u201cetc.\u201d<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>This research provides data-driven usability guidance on constructing clearer language for password policies. Improving language clarity will help usability without sacrificing security, as simplifying password rule language does not change security requirements.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This is the first usable security study to systematically measure the effects of ambiguous password rules on user comprehension of the allowed character space.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-06-2016-0043","type":"journal-article","created":{"date-parts":[[2017,3,1]],"date-time":"2017-03-01T08:28:36Z","timestamp":1488356916000},"page":"80-99","source":"Crossref","is-referenced-by-count":4,"title":["Must I, can I? I don\u2019t understand your ambiguous password rules"],"prefix":"10.1108","volume":"25","author":[{"given":"Kristen K.","family":"Greene","sequence":"first","affiliation":[]},{"given":"Yee-Yin","family":"Choong","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020120812072594200_ref001","first-page":"538","article-title":"The science of guessing: analyzing an anonymized corpus of 70 million passwords","year":"2012"},{"key":"key2020120812072594200_ref002","doi-asserted-by":"crossref","first-page":"641","DOI":"10.1002\/acp.1014","article-title":"Generating and remembering passwords","volume":"18","year":"2004","journal-title":"Applied Cognitive Psychology"},{"issue":"3","key":"key2020120812072594200_ref003","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1080\/0144929X.2010.492876","article-title":"Impact of restrictive composition policy on user password choices","volume":"30","year":"2011","journal-title":"Behaviour and Information Technology"},{"key":"key2020120812072594200_ref004","first-page":"127","article-title":"A cognitive-behavioral framework of user password management lifecycle","year":"2014","journal-title":"Human Aspects of Information Security, Privacy, and Trust"},{"key":"key2020120812072594200_ref005","article-title":"The tangled web of password reuse","year":"2014","journal-title":"Network and Distributed System Security Symposium (NDSS\u201914)"},{"key":"key2020120812072594200_ref006","first-page":"37","article-title":"Behavioral response to phishing risk","volume-title":"Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, ACM","year":"2007"},{"key":"key2020120812072594200_ref007","first-page":"657","article-title":"A large-scale study of web password habits","year":"2007"},{"key":"key2020120812072594200_ref008","first-page":"575","article-title":"Password portfolios and the finite-effort user: sustainably managing large numbers of accounts","volume-title":"Proceedings of USENIX Security","year":"2014"},{"key":"key2020120812072594200_ref009","first-page":"217","article-title":"Essential lessons still not learned? Examining the password practices of end-users and service providers","year":"2013","journal-title":"Human Aspects of Information Security, Privacy, and Trust"},{"issue":"3","key":"key2020120812072594200_ref010","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1016\/j.intcom.2011.03.007","article-title":"Using and managing multiple passwords: a week to a view","volume":"23","year":"2011","journal-title":"Interacting with Computers"},{"key":"key2020120812072594200_ref011","first-page":"173","article-title":"A study of user password strategy for multiple accounts","year":"2013"},{"key":"key2020120812072594200_ref012","unstructured":"Haskins, W. (2007), \u201cNetwork security: gullible users are the weakest link\u201d, TechNewsWorld, available at: www.technewsworld.com\/story\/60520.html (accessed May 2016)."},{"key":"key2020120812072594200_ref013","first-page":"28","article-title":"Research agenda acknowledging the persistence of passwords","year":"2012","journal-title":"IEEE Security and Privacy"},{"key":"key2020120812072594200_ref014","unstructured":"IT Governance (2013), Boardroom Cyber Watch 2013: Report."},{"key":"key2020120812072594200_ref015","first-page":"523","article-title":"Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms","year":"2012"},{"key":"key2020120812072594200_ref016","unstructured":"Microsoft (2016), \u201cUsing special characters (character map)\u201d, available at: http:\/\/windows.microsoft.com\/en-us\/windows\/using-special-characters-character-map-faq-1TC=windows-7 (accessed May 2016)."},{"key":"key2020120812072594200_ref017","first-page":"249","article-title":"Phishing in a university community: two large scale phishing experiments","year":"2012","journal-title":"Innovations in Information Technology (IIT)"},{"key":"key2020120812072594200_ref018","first-page":"139","article-title":"Phishing - the threat that still exists","year":"2015"},{"key":"key2020120812072594200_ref019","unstructured":"Open Web Application Security Project (OWASP) (2016), \u201cPassword special characters\u201d, available at: www.owasp.org\/index.php\/Password_special_characters (accessed May 2016)."},{"key":"key2020120812072594200_ref020","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1023\/A:1011902718709","article-title":"Transforming the \u2018weakest link\u2019 \u2013 a human\/computer interaction approach to usable and effective security","volume":"19","year":"2001","journal-title":"BT Technology Journal"},{"key":"key2020120812072594200_ref021","first-page":"240","article-title":"Clear, unambiguous password policies: an oxymoron?","year":"2014","journal-title":"Cross-Cultural Design"},{"key":"key2020120812072594200_ref022","first-page":"460","article-title":"Survival of the shortest- a retrospective analysis of influencing factors on password composition","volume-title":"Human-Computer Interaction \u2013 INTERACT","year":"2013"},{"key":"key2020120812072594200_ref023","doi-asserted-by":"crossref","first-page":"744","DOI":"10.1016\/j.ijhcs.2007.03.007","article-title":"Improving password security and memorability to protect personal and organizational information","volume":"65","year":"2007","journal-title":"International Journal of Human-Computer Studies"},{"key":"key2020120812072594200_ref024","first-page":"391","article-title":"Password cracking using probabilistic context-free grammars","year":"2009"},{"key":"key2020120812072594200_ref025","first-page":"162","article-title":"Testing metrics for password creation policies by attacking large sets of revealed passwords","year":"2010"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2016-0043\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-06-2016-0043\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:58Z","timestamp":1753406578000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/1\/80-99\/109749"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,3,13]]},"references-count":25,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2017,3,13]]}},"alternative-id":["10.1108\/ICS-06-2016-0043"],"URL":"https:\/\/doi.org\/10.1108\/ics-06-2016-0043","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,3,13]]}}}