Toggle Main Menu Toggle Search

Open Access padlockePrints

Effect of Cognitive Depletion on Password Choice

Lookup NU author(s): Professor Thomas GrossORCiD, Dr Kovila Coopamootoo



Background. The Limited Strength model of cognitive psychology predicts that human capacity to exert cognitive effort is limited and that decision making is impeded once high depletion is reached. Aim. We investigate how password choice differs between depleted and non-depleted users. Method. Two groups of 50 subjects each were asked to generate a password. One group was cognitively depleted, the other was not. Password strength was measured and compared across groups. Results. Using a stepwise linear regression we found that password strength is predicted by deple- tion level, personality traits and mood, with an over- all studentized R2 = .206. The depletion level was the strongest predictor of password strength (pre- dictor importance 0.371 and p = .001). Participants with slight effortful exertion created significantly better passwords than the undepleted control group. Participants with high depletion created worse pass- words than the control group. Conclusions. That strong depletion diminishes the capacity to choose strong passwords indicates that cognitive effort is necessary for the creation of strong passwords. It is surprising that slight exertion of cognitive effort prior to the password creation leads to stronger passwords. Our findings open up new avenues for usable security research through deliberately eliciting cognitive effort and replenish- ing after depletion and indicate the potential of in- vestigating personality traits and current mood.

Publication metadata

Author(s): Gross T, Coopamootoo KPL, Al-Jabri A

Editor(s): Sean Peisert

Publication type: Conference Proceedings (inc. Abstract)

Publication status: Published

Conference Name: Learning from Authoritative Security Experiment Results Workshop (LASER)

Year of Conference: 2016

Acceptance date: 29/02/2016

Date deposited: 20/09/2016

Publisher: IEEE


Notes: Workshop run in association with the 37th IEEE Symposium on Security and Privacy 2016