Response-efficacy messages produce stronger passwords than self-efficacy messages … for now: A longitudinal experimental study of the efficacy of coping message types on password creation behaviour

Abstract

User non-adherence to password guidelines remains a persistent challenge in the fight against cyberattacks. Many users circumvent password requirements by choosing weak, easy-to-guess passwords. This study tests the effectiveness of coping messages (i.e., self-efficacy, response efficacy, and a combination of self-efficacy and response efficacy) to improve the strength of passwords created by users. Participants (N = 221) were instructed to create passwords for three fictional online accounts after receiving password creation instructions that incorporated one of the aforementioned coping message types. They then reported their intentions to adopt strong passwords post-intervention and reported on their actual password practices four weeks later. Findings indicate that the strength of the created passwords did not improve based on the messages participants received, and those who received self-efficacy messages actually created passwords with lower entropy. The intention to adopt strong passwords was only elevated for participants who received combined self-efficacy and response efficacy condition, and neither message type had a clear impact on user behaviour after four weeks. This study paves the way for developing more effective messages based on the Protection Motivation Theory (PMT) constructs to encourage safe password behaviour.