What's a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules

Published: September 23, 2016

Author(s)

Yee-Yin Choong, Kristen Greene

Abstract

Although many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects the user experience during password rule comprehension, a necessary precursor to password generation. Our research begins to address this gap by focusing on users’ comprehension of password generation rules. Varying terms—special characters, symbols, non-alphanumeric characters, and punctuation—are used in different password rules, but mostly without explicit definition. In this laboratory study, we used character-selection and compliance-checking tasks with 60 participants to investigate effects of varying terms on users’ password rule comprehension. Results show that manipulating terminology caused participants’ conception of the allowed character space to shrink or expand. Our quantitative and qualitative data show that participants were extremely confused by the variety of terms for “special character.” Seemingly small changes in language have large, observable impacts on users’ understanding of password rules. Language in password requirements must be carefully constructed to ensure that people fully comprehend the allowable character space. This research is an important first step to providing data-driven guidance on constructing clearer language for password rules.
Proceedings Title: Proceedings of the 2016 Human Factors and Ergonomics Society Annual Meeting
Conference Dates: September 19-23, 2016
Conference Location: Washington, DC
Conference Title: 2016 HFES Annual Meeting
Pub Type: Conferences

Keywords

Human Factors, Password language, Password policies, Password requirements, Usability, Usable security, User experience
Created September 23, 2016, Updated November 10, 2018