Nudging personalized password policies by understanding users’ personality

Password composition policies are used to prevent users from picking weak passwords. A website usually provides a unified password policy for each user but ignores the fact that people have a variety of preferences due to individual differences, which makes it difficult to achieve the expected strong password goals. In order to improve the effectiveness of password composition policies, we propose a dynamic personalized password policy (DPPP), which can personally recommend different password policies according to the user’s personality traits. We conduct an online study to evaluate the security and usability of DPPP and the two common password composition policies Basic8 and 3class8. The study results show that DPPP is more effective than Basic8 and 3class8 in resisting online and offline guessing attacks. DPPP is inferior to Basic8 and 3class8 only in the creation time and outperforms 3class8 in creating difficulty with significant differences.