An Empirical Investigation of Security Fatigue: The Case of Password Choice after Solving a CAPTCHA

Authors: 

Kovila P.L. Coopamootoo and Thomas Groß, Newcastle University; M. Faizal R. Pratama, University of Derby

Abstract: 

Background. User fatigue or overwhelm in current security tasks has been called security fatigue by the research community. However, security fatigue can also impact subsequent tasks. For example, while the CAPTCHA is a widespread security measure that aims to separate humans from bots [26], it is also known to be difficult for humans. Yet, to-date it is not known how solving a CAPTCHA influences other subsequent tasks.

Aim. We investigate users’ password choice after a CAPTCHA challenge.

Method. We conduct a between-subject lab experiment. Three groups of 66 participants were each asked to generate a password. Two groups were given a CAPTCHA to solve prior to password choice, the third group was not. Password strength was measured and compared across groups.

Results. We found a significant difference in password strength across conditions, with p = :002, corresponding to a large effect size of f = :42. We found that solving a text- or picture-CAPTCHA results in significantly poorer password choice than not solving a CAPTCHA.

Conclusions. We contribute a first known empirical study investigating the impact of a CAPTCHA on password choice and of designing security tasks in a sequence. It raises questions on the usability, security fatigue and overall system security achieved when password choice follows another effortful task or is paired with a security task.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {209358,
author = {Kovila P.L. Coopamootoo and Thomas Gross and M. Faizal R. Pratama},
title = {An Empirical Investigation of Security Fatigue: The Case of Password Choice after Solving a {CAPTCHA}},
booktitle = {The {LASER} Workshop: Learning from Authoritative Security Experiment Results ({LASER} 2017)},
year = {2017},
isbn = {978-1-931971-41-6},
pages = {39--48},
url = {https://www.usenix.org/conference/laser2017/presentation/coopamootoo},
publisher = {{USENIX} Association},
}