Investigation of the Effect of Fear and Stress on Password Choice (Extended Version)
Background. The current cognitive state, such as cognitive effort and depletion, incidental affect or stress may impact the strength of a chosen password unconsciously. Aim. We investigate the effect of incidental fear and stress on the measured strength of a chosen password. Method. We conducted two experiments with within-subject designs measuring the Zxcvbn log10 number of guesses as strength of chosen passwords as dependent variable. In both experiments, participants were signed up to a site holding their personal data and, for the second run a day later, asked under a security incident pretext to change their password. (a) Fear. N_π₯ = 34 participants were exposed to standardized fear and happiness stimulus videos in random order. (b) Stress. N_π² = 50 participants were either exposed to a battery of standard stress tasks or left in a control condition in random order. The Zxcvbn password strength was compared across conditions. Results. We did not observe a statistically significant difference in mean Zxcvbn password strengths on fear (Hedges' g_πΊπ = -0.11, 95% CI [-0.45, 0.23]) or stress (and control group, Hedges' g_πΊπ = 0.01, 95% CI [-0.31, 0.33]). However, we found a statistically significant cross-over interaction of stress and TLX mental demand. Conclusions. While having observed negligible main effect size estimates for incidental fear and stress, we offer evidence towards the interaction between stress and cognitive effort that vouches for further investigation.
READ FULL TEXT