{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T22:13:46Z","timestamp":1776118426103,"version":"3.50.1"},"reference-count":129,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2024,10,31]],"date-time":"2024-10-31T00:00:00Z","timestamp":1730332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Comput.-Hum. Interact."],"published-print":{"date-parts":[[2024,10,31]]},"abstract":"\n We draw on the Protection Motivation Theory (PMT) to design interventions that encourage users to change breached passwords. Our online experiment (\n \n \\(n=1{,}386\\)<\/jats:tex-math>\n <\/jats:inline-formula>\n ) compared the effectiveness of a threat appeal (highlighting the negative consequences after passwords were breached) and a coping appeal (providing instructions on changing the breached password) in a 2\n \n \\(\\times\\)<\/jats:tex-math>\n <\/jats:inline-formula>\n 2 factorial design. Compared to the control condition, participants receiving the threat appeal were more likely to intend to change their passwords, and participants receiving both appeals were more likely to end up changing their passwords. Participants\u2019 password change behaviors are further associated with other factors, such as their security attitudes (SA-6) and time passed since the breach, suggesting that PMT-based interventions are useful but insufficient to fully motivate users to change their passwords. Our study contributes to PMT\u2019s application in security research and provides concrete design implications for improving compromised credential notifications.\n <\/jats:p>","DOI":"10.1145\/3689432","type":"journal-article","created":{"date-parts":[[2024,8,30]],"date-time":"2024-08-30T16:06:33Z","timestamp":1725033993000},"page":"1-45","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Encouraging Users to Change Breached Passwords Using the Protection Motivation Theory"],"prefix":"10.1145","volume":"31","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9088-705X","authenticated-orcid":false,"given":"Yixin","family":"Zou","sequence":"first","affiliation":[{"name":"Max Planck Institute for Security and Privacy, Bochum, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0438-8360","authenticated-orcid":false,"given":"Khue","family":"Le","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6267-4874","authenticated-orcid":false,"given":"Peter","family":"Mayer","sequence":"additional","affiliation":[{"name":"University of Southern Denmark, Odense, Denmark"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6582-6178","authenticated-orcid":false,"given":"Alessandro","family":"Acquisti","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3792-2485","authenticated-orcid":false,"given":"Adam J.","family":"Aviv","sequence":"additional","affiliation":[{"name":"The George Washington University, Washington, DC, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1039-7155","authenticated-orcid":false,"given":"Florian","family":"Schaub","sequence":"additional","affiliation":[{"name":"University of Michigan, Ann Arbor, MI, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,11,9]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"715","volume-title":"Proceedings of the USENIX Security Symposium","author":"Abramova Svetlana","year":"2023","unstructured":"Svetlana Abramova and Rainer B\u00f6hme. 2023. Anatomy of a high-profile data breach: Dissecting the aftermath of a crypto-wallet case. In Proceedings of the USENIX Security Symposium. USENIX, 715\u2013732. Retrieved from https:\/\/www.usenix.org\/system\/files\/usenixsecurity23-abramova.pdf"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1016\/0749-5978(91)90020-T"},{"key":"e_1_3_2_4_2","first-page":"31","volume-title":"Proceedings of the Symposium on Usable Privacy and Security (SOUPS \u201918)","author":"Al Qahtani Elham","year":"2018","unstructured":"Elham Al Qahtani, Mohamed Shehab, and Abrar Aljohani. 2018. The effectiveness of fear appeals in increasing smartphone locking behavior among Saudi Arabians. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS \u201918). USENIX, 31\u201346. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-qahtani.pdf"},{"key":"e_1_3_2_5_2","first-page":"49","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Albayram Yusuf","year":"2017","unstructured":"Yusuf Albayram, Mohammad Maifi Hasan Khan, Theodore Jensen, and Nhan Nguyen. 2017. \u201c\u2026 Better to use a lock screen than to worry about saving a few seconds of time\u201d: Effect of fear appeal in the context of smartphone locking behavior. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 49\u201363. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2017\/soups2017-albayram.pdf"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.14722\/eurousec.2016.23011"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2019.582"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.2307\/25750694"},{"key":"e_1_3_2_9_2","first-page":"8:1","volume-title":"Proceedings of the Workshop on Technology and Consumer Protection","author":"Bhagavatula Sruti","year":"2020","unstructured":"Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. 2020. (How) do people change their passwords after a breach? In Proceedings of the Workshop on Technology and Consumer Protection. IEEE, Virtual Conference, 8:1\u20138:8. Retrieved from https:\/\/www.ieee-security.org\/TC\/SPW2020\/ConPro\/papers\/bhagavatula-conpro20.pdf"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1080\/0144929X.2015.1028448"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.25300\/MISQ\/2015\/39.4.5"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2016.11.018"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2739044"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1080\/03610911003650383"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3517475"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376389"},{"key":"e_1_3_2_17_2","unstructured":"Lorrie Cranor. 2016. Time to Rethink Mandatory Password Changes. Retrieved September 4 2024 from https:\/\/www.ftc.gov\/policy\/advocacy-research\/tech-at-ftc\/2016\/03\/time-rethink-mandatory-password-changes"},{"issue":"2","key":"e_1_3_2_18_2","first-page":"273","article-title":"Necessary but not sufficient: Standardized mechanisms for privacy notice and choice","volume":"10","author":"Cranor Lorrie Faith","year":"2012","unstructured":"Lorrie Faith Cranor. 2012. Necessary but not sufficient: Standardized mechanisms for privacy notice and choice. Journal on Telecommunications and High Technology Law 10, 2 (2012), 273\u2013308.","journal-title":"Journal on Telecommunications and High Technology Law"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.2308\/isys-50704"},{"key":"e_1_3_2_20_2","unstructured":"Cybersecurity & Infrastructure Security Agency. 2019. Security TIP (ST04-002) Choosing and Protecting Passwords. Retrieved September 4 2024 from https:\/\/www.cisa.gov\/uscert\/ncas\/tips\/ST04-002"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.14722\/NDSS.2014.23357"},{"key":"e_1_3_2_22_2","unstructured":"Dashlane. 2018. World Password Day: How to Improve Your Passwords. Retrieved September 4 2024 from https:\/\/blog.dashlane.com\/world-password-day\/"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00037"},{"key":"e_1_3_2_24_2","unstructured":"Kerry DeVito. 2022. How to Improve Your Watchtower Score in 1Password. Retrieved September 4 2024 from https:\/\/blog.1password.com\/improve-watchtower-score-1password\/"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2481329"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300764"},{"key":"e_1_3_2_27_2","unstructured":"The European Parliament and the Council of the European Union. 2016. Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27. April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95\/46\/EC (General Data Protection Regulation). Retrieved September 4 2024 from http:\/\/data.europa.eu\/eli\/reg\/2016\/679\/oj"},{"key":"e_1_3_2_28_2","first-page":"61","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Faklaris Cori","year":"2019","unstructured":"Cori Faklaris, Laura A. Dabbish, and Jason I. Hong. 2019. A self-report measure of end-user security attitudes (SA-6). In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 61\u201377. Retrieved from https:\/\/www.usenix.org\/system\/files\/soups2019-faklaris.pdf"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242661"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1111\/j.1559\u20131816.2000.tb02323.x"},{"key":"e_1_3_2_31_2","first-page":"97","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Forget Alain","year":"2016","unstructured":"Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Marian Harbach, and Rahul Telang. 2016. Do or do not, there is no try: User engagement may not improve security outcomes. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 97\u2013111. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2016\/soups2016-paper-forget.pdf"},{"key":"e_1_3_2_32_2","unstructured":"Rose de Fremery. 2021. Breaking the Cycle of Password Reuse. Retrieved September 4 2024 from https:\/\/blog.lastpass.com\/2021\/09\/breaking-the-cycle-of-password-reuse\/"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143127"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.aap.2013.04.004"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243767"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1037\/0003-066X.54.7.493"},{"key":"e_1_3_2_37_2","unstructured":"Paul A. Grassi James L. Fenton Elaine M. Newton Ray A. Perlner Andrew R. Regenscheid William E. Burr and Justin P. Richer. 2017. Digital Identity Guidelines: Authentication and Lifecycle Management \u2013 NIST Special Publication 800-63-3. Retrieved from https:\/\/nvlpubs.nist.gov\/nistpubs\/specialpublications\/nist.sp.800-63b.pdf"},{"key":"e_1_3_2_38_2","first-page":"13","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Habib Hana","year":"2018","unstructured":"Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2018. User behaviors and attitudes under password expiration policies. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 13\u201330. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-habib-password.pdf"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376511"},{"key":"e_1_3_2_40_2","first-page":"387","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Habib Hana","year":"2019","unstructured":"Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2019. An empirical analysis of data deletion and opt-out choices on 150 websites. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 387\u2013406. Retrieved from https:\/\/www.usenix.org\/system\/files\/soups2019-habib.pdf"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1080\/10580530.2015.1117842"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1037\/bul0000025"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1057\/ejis.2009.6"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2020.102498"},{"key":"e_1_3_2_45_2","first-page":"155","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Huang Yue","year":"2022","unstructured":"Yue Huang, Borke Obada-Obieh, and Konstantin Beznosov. 2022. Users\u2019 perceptions of chrome compromised credential notification. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 155\u2013174. Retrieved from https:\/\/www.usenix.org\/system\/files\/soups2022-huang_1.pdf"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025788"},{"key":"e_1_3_2_47_2","unstructured":"Troy Hunt. 2022. Pwned Websites. Retrieved September 4 2024 from https:\/\/haveibeenpwned.com\/PwnedWebsites"},{"key":"e_1_3_2_48_2","unstructured":"Identity Theft Resource Center. 2022. Identity Theft Resource Center\u2019s 2021 Annual Data Breach Report Sets New Record for Number of Compromises. Retrieved September 4 2024 from https:\/\/www.idtheftcenter.org\/post\/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises\/"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.10.007"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1177\/109019818401100101"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.17705\/1jais.00660"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1080\/02681102.2013.814040"},{"key":"e_1_3_2_53_2","unstructured":"Alison Grace Johansen. 2021. What to Do After 5 Types of Data Breaches. Retrieved September 4 2024 from https:\/\/us.norton.com\/blog\/emerging-threats\/what-to-do-after-a-data-breach"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.2307\/25750691"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.25300\/misq\/2015\/39.1.06"},{"key":"e_1_3_2_56_2","first-page":"217","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Karunakaran Sowmya","year":"2018","unstructured":"Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. 2018. Data breaches: User comprehension, expectations, and concerns with handling exposed data. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 217\u2013234. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-karunakaran.pdf"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.biocon.2019.05.020"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1111\/ajpy.12271"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3502009"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/1325555.1325569"},{"key":"e_1_3_2_61_2","unstructured":"LastPass. 2022. Digital Security Dashboard. Retrieved September 4 2024 from https:\/\/www.lastpass.com\/features\/security-dashboard"},{"key":"e_1_3_2_62_2","unstructured":"Kristin Lauter Sreekanth Kannepalli Kim Laine and Radames Cruz Moreno. 2021. Password Monitor: Safeguarding passwords in Microsoft Edge. Retrieved September 4 2024 from https:\/\/www.microsoft.com\/en-us\/research\/blog\/password-monitor-safeguarding-passwords-in-microsoft-edge\/"},{"key":"e_1_3_2_63_2","volume-title":"Research Methods in Human-Computer Interaction","author":"Lazar Jonathan","year":"2017","unstructured":"Jonathan Lazar, Jinjuan Heidi Feng, and Harry Hochheiser. 2017. Research Methods in Human-Computer Interaction. Morgan Kaufmann, San Francisco, CA."},{"key":"e_1_3_2_64_2","volume-title":"Stress, Appraisal, and Coping","author":"Lazarus Richard S.","year":"1984","unstructured":"Richard S. Lazarus and Susan Folkman. 1984. Stress, Appraisal, and Coping. Springer, New York, NY."},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1080\/01449290600879344"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1016\/0022-1031(83)90023-9"},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3098986"},{"key":"e_1_3_2_68_2","first-page":"1849","volume-title":"Proceedings of the USENIX Security Symposium","author":"Mayer Peter","year":"2022","unstructured":"Peter Mayer, Collins W. Munyendo, Michelle L. Mazurek, and Adam J. Aviv. 2022. Why users (don\u2019t) use password managers at a large educational institution. In Proceedings of the USENIX Security Symposium. USENIX, 1849\u20131866. Retrieved from https:\/\/www.usenix.org\/system\/files\/sec22-mayer.pdf"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3589958"},{"key":"e_1_3_2_70_2","first-page":"393","volume-title":"Proceedings of the USENIX Security Symposium","author":"Mayer Peter","year":"2021","unstructured":"Peter Mayer, Yixin Zou, Florian Schaub, and Adam J. Aviv. 2021. \u201cNow I\u2019m a bit angry:\u201d Individuals\u2019 awareness, perception, and responses to data breaches that affected them. In Proceedings of the USENIX Security Symposium. USENIX, Virtual Conference, 393\u2013410. Retrieved from https:\/\/www.usenix.org\/system\/files\/sec21fall-mayer.pdf"},{"key":"e_1_3_2_71_2","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516726"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359174"},{"key":"e_1_3_2_73_2","doi-asserted-by":"publisher","DOI":"10.4018\/jhisi.2007070104"},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1111\/j.1559-1816.2000.tb02308.x"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.1002\/jcpy.1190"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2008.11.010"},{"key":"e_1_3_2_77_2","unstructured":"Office of the California Attorney General. 2020. California Consumer Privacy Act (CCPA): Final Text of Proposed Regulations. Retrieved September 4 2024 from https:\/\/oag.ca.gov\/sites\/all\/files\/agweb\/pdfs\/privacy\/oal-sub-final-text-of-regs.pdf"},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987475"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133973"},{"key":"e_1_3_2_80_2","first-page":"319","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Pearman Sarah","year":"2019","unstructured":"Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don\u2019t) use password managers effectively. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 319\u2013338. Retrieved from https:\/\/www.usenix.org\/system\/files\/soups2019-pearman.pdf"},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2020.106347"},{"key":"e_1_3_2_82_2","unstructured":"Jennifer Pullman Kurt Thomas and Elie Bursztein. 2019. Protect Your Accounts From Data Breaches with Password Checkup. Retrieved September 4 2024 from https:\/\/security.googleblog.com\/2019\/02\/protect-your-accounts-from-data.html"},{"key":"e_1_3_2_83_2","first-page":"73","volume-title":"Proceedings of the USENIX Security Symposium","author":"Ray Hirak","year":"2021","unstructured":"Hirak Ray, Flynn Wolf, Ravi Kuber, and Adam J. Aviv. 2021. Why older adults (don\u2019t) use password managers. In Proceedings of the USENIX Security Symposium. USENIX, Virtual Conference, 73\u201390. Retrieved from https:\/\/www.usenix.org\/system\/files\/sec21-ray.pdf"},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00059"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243740"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.1080\/00223980.1975.9915803"},{"key":"e_1_3_2_87_2","first-page":"153","article-title":"Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation","author":"Rogers Ronald W.","year":"1983","unstructured":"Ronald W. Rogers. 1983. Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation. Social Psychophysiology: A Sourcebook (1983), 153\u2013177.","journal-title":"Social Psychophysiology: A Sourcebook"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1002\/pam.20567"},{"key":"e_1_3_2_89_2","doi-asserted-by":"publisher","DOI":"10.1002\/ijop.12042"},{"key":"e_1_3_2_90_2","volume-title":"The Coding Manual for Qualitative Researchers","author":"Salda\u223cna Johnny","year":"2015","unstructured":"Johnny Salda\u223cna. 2015. The Coding Manual for Qualitative Researchers. Sage, Thousand Oaks, CA."},{"key":"e_1_3_2_91_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3502083"},{"key":"e_1_3_2_92_2","doi-asserted-by":"publisher","DOI":"10.1145\/2556288.2557330"},{"key":"e_1_3_2_93_2","doi-asserted-by":"publisher","DOI":"10.1145\/2891411"},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1111\/spc3.12265"},{"key":"e_1_3_2_95_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2015.01.046"},{"key":"e_1_3_2_96_2","unstructured":"Jeff Shiner. 2018. Finding compromised passwords with 1Password. Retrieved September 4 2024 from https:\/\/blog.1password.com\/finding-pwned-passwords-with-1password\/"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2013.08.006"},{"key":"e_1_3_2_98_2","volume-title":"Breached!: Why Data Security Law Fails and How to Improve it","author":"Solove Daniel J.","year":"2022","unstructured":"Daniel J. Solove and Woodrow Hartzog. 2022. Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press, Oxford, UK."},{"key":"e_1_3_2_99_2","unstructured":"Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proceedings of the Symposium on Usable Privacy and Security. USENIX 243\u2013255. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2014\/soups14-paper-stobert.pdf"},{"key":"e_1_3_2_100_2","first-page":"379","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Story Peter","year":"2020","unstructured":"Peter Story, Daniel Smullen, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. 2020. From intent to action: Nudging users towards secure mobile payments. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, Virtual Conference, 379\u2013415. Retrieved from https:\/\/www.usenix.org\/system\/files\/soups2020-story.pdf"},{"key":"e_1_3_2_101_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2022-0040"},{"key":"e_1_3_2_102_2","unstructured":"Richard H. Thaler and Cass R. Sunstein. 2021. Nudge: The Final Edition. Yale University Press."},{"key":"e_1_3_2_103_2","unstructured":"The Federal Trade Commission. 2020. When Information Is Lost or Exposed. Retrieved September 4 2024 from https:\/\/www.identitytheft.gov\/databreach"},{"key":"e_1_3_2_104_2","unstructured":"The Federal Trade Commission. 2023. CAN-SPAM Act: A Compliance Guide for Business. Retrieved September 4 2024 from https:\/\/www.ftc.gov\/business-guidance\/resources\/can-spam-act-compliance-guide-business"},{"key":"e_1_3_2_105_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134067"},{"key":"e_1_3_2_106_2","first-page":"1556","volume-title":"Proceedings of the USENIX Security Symposium","author":"Thomas Kurt","year":"2019","unstructured":"Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, and Elie Bursztein. 2019. Protecting accounts from credential stuffing with password breach alerting. In Proceedings of the USENIX Security Symposium. USENIX, 1556\u20131571. Retrieved from https:\/\/www.usenix.org\/system\/files\/sec19-thomas.pdf"},{"key":"e_1_3_2_107_2","unstructured":"United Kingdom National Cybersecurity Center. 2018. Password Administration for System Owners. Retrieved September 4 2024 from https:\/\/www.ncsc.gov.uk\/collection\/passwords\/updating-your-approach"},{"key":"e_1_3_2_108_2","unstructured":"United States Census Bureau. 2022. Age and Sex Tables. Retrieved September 4 2024 from https:\/\/www.census.gov\/topics\/population\/age-and-sex\/data\/tables.2019.List_897222059.html"},{"key":"e_1_3_2_109_2","unstructured":"United States Census Bureau. 2022. Census Bureau Releases New Educational Attainment Data. Retrieved September 4 2024 from https:\/\/www.census.gov\/newsroom\/press-releases\/2022\/educational-attainment.html"},{"key":"e_1_3_2_110_2","unstructured":"United States Census Bureau. 2022. Selected Characteristics of Households by Total Money Income. Retrieved September 4 2024 from https:\/\/www.census.gov\/data\/tables\/time-series\/demo\/income-poverty\/cps-hinc\/hinc-01.html"},{"key":"e_1_3_2_111_2","unstructured":"United States Census Bureau. 2022. U.S. Census Bureau QuickFacts. Retrieved September 4 2024 from https:\/\/www.census.gov\/quickfacts\/fact\/table\/US\/LFE046220"},{"key":"e_1_3_2_112_2","doi-asserted-by":"publisher","DOI":"10.1145\/2858036.2858546"},{"key":"e_1_3_2_113_2","first-page":"65","volume-title":"Proceedings of the USENIX Security Symposium","author":"Ur Blase","year":"2012","unstructured":"Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the USENIX Security Symposium. USENIX, 65\u201380. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity12\/sec12-final209.pdf"},{"key":"e_1_3_2_114_2","first-page":"123","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Ur Blase","year":"2015","unstructured":"Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. \u201cI added \u2018!\u2019 at the end to make it secure\u201d: Observing password creation in the lab. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 123\u2013140. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2015\/soups15-paper-ur.pdf"},{"key":"e_1_3_2_115_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2018.11.003"},{"key":"e_1_3_2_116_2","unstructured":"Ashlee Vance. 2010. If Your Password Is 123456 Just Make It HackMe. Retrieved September 4 2024 from https:\/\/www.nytimes.com\/2010\/01\/21\/technology\/21password.html"},{"key":"e_1_3_2_117_2","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2013.196"},{"key":"e_1_3_2_118_2","first-page":"27:1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Veras Rafael","year":"2014","unstructured":"Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proceedings of the Symposium on Network and Distributed System Security. Internet Society, 27:1\u201327:16. Retrieved from https:\/\/www.ndss-symposium.org\/ndss2014\/programme\/semantic-patterns-passwords-and-their-security-impact\/"},{"key":"e_1_3_2_119_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978339"},{"key":"e_1_3_2_120_2","first-page":"175","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Wash Rick","year":"2016","unstructured":"Rick Wash, Emilee Radar, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices: How frequently entered passwords are re-used across websites. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 175\u2013188. Retrieved from"},{"key":"e_1_3_2_121_2","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025911"},{"key":"e_1_3_2_122_2","doi-asserted-by":"publisher","DOI":"10.1037\/0033-2909.132.2.249"},{"key":"e_1_3_2_123_2","doi-asserted-by":"publisher","DOI":"10.1037\/0278-6133.12.4.324"},{"key":"e_1_3_2_124_2","first-page":"157","volume-title":"Proceedings of the USENIX Security Symposium","author":"Wheeler Daniel Lowe","year":"2016","unstructured":"Daniel Lowe Wheeler. 2016. zxcvbn: Low-budget password strength estimation. In Proceedings of the USENIX Security Symposium. USENIX, 157\u2013173. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/usenixsecurity16\/sec16_paper_wheeler.pdf"},{"key":"e_1_3_2_125_2","doi-asserted-by":"publisher","DOI":"10.1177\/109019810002700"},{"key":"e_1_3_2_126_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2008.04.005"},{"key":"e_1_3_2_127_2","first-page":"395","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Wu Justin","year":"2018","unstructured":"Justin Wu and Daniel Zappala. 2018. When is a tree really a truck? Exploring mental models of encryption. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 395\u2013409. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-wu.pdf"},{"key":"e_1_3_2_128_2","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300424"},{"key":"e_1_3_2_129_2","first-page":"197","volume-title":"Proceedings of the Symposium on Usable Privacy and Security","author":"Zou Yixin","year":"2018","unstructured":"Yixin Zou, Abraham H Mhaidli, Austin McCall, and Florian Schaub. 2018. \u201cI\u2019ve got nothing to lose\u201d: Consumers\u2019 risk perceptions and protective actions after the equifax data breach. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 197\u2013216. Retrieved from https:\/\/www.usenix.org\/system\/files\/conference\/soups2018\/soups2018-zou.pdf"},{"key":"e_1_3_2_130_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376570"}],"container-title":["ACM Transactions on Computer-Human Interaction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689432","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3689432","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:05:45Z","timestamp":1750291545000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689432"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,31]]},"references-count":129,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2024,10,31]]}},"alternative-id":["10.1145\/3689432"],"URL":"https:\/\/doi.org\/10.1145\/3689432","relation":{},"ISSN":["1073-0516","1557-7325"],"issn-type":[{"value":"1073-0516","type":"print"},{"value":"1557-7325","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,10,31]]},"assertion":[{"value":"2022-11-23","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-05","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-11-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}