On the user friendliness of password creation policy designs in the wild

Password creation policy designs (PCPDs) are the design of site interfaces for user password registration. Much attention has been paid to the security of password policies, but there is a lack of research on the presentation of PCPDs (i.e., password rule (PR), password registration error message (PREM), and password strength meter (PSM)). To fill this gap, we, for the first time, evaluate the user-friendliness of PCPDs across 163 Chinese and 202 U.S. websites. We define two key criteria for PCPD user-friendliness: friendly timing and friendly explanation. Our results present a concerning picture: only 8.6% (14/163) of Chinese sites and 3.5% (7/202) of U.S. sites meet our user-friendliness criteria for PCPDs. To validate our user-friendly PCPDs, we conduct a survey with 249 U.S. and Chinese participants, confirming that over 75% of participantssupport our criteria for optimal password creation interfaces. Furthermore, we conduct a correlation analysis of the security of the PCPD and corresponding password datasets from eleven Chinese and U.S. websites. We reveal that an unfriendly PCPD increases the time for password creation and login, but does not improve password security. Our work highlights that leading services need substantial improvements in the usability of PCPDs during the user registration process.