THE TIMING OF DIGITAL NUDGES Exploring the Impact of Digital Nudge Timing on Password Strength

Abstract

In the digital age, passwords remain a primary method of authentication, yet many users create weak passwords, posing serious cybersecurity risks. Digital nudging, rooted in theory on choice architecture, has shown potential in guiding users towards more secure practices by subtly influencing behavior. However, not much is known regarding how the timing of such nudges affect password strength. Existing studies typically focus on the content of the nudge and not as much the timing. This study addresses that gap by exploring whether the presentation of a digital nudge appearing before, during or after a password creation window influences the strength and composition of the passwords created by users. To investigate this, three survey-based experiments were conducted, each corresponding to a different point in time at which the digital nudge was presented: before, during, or after a password creation window (referred to as the pre, during and post experiments in this essay). Password strength was measured through the use of two established tools, zxcvbn and Password Meter, to assess what this study refers to as the intrinsic and compositional complexity. Our findings reveal that nudge timing alone did not significantly impact password strength. However, whether participants decided to follow the nudge’s instructions when creating passwords had a significant impact: those who reported ignoring the nudge created significantly stronger passwords in terms of compositional complexity, whereas intrinsic complexity remained the same. This unexpected finding highlights the importance of nudge design and lays the foundation for future research on nudge timings in the cybersecurity field.