What’s a Special Character Anyway? Effects of Ambiguous Terminology in Password Rules

Although many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects the user experience during password rule comprehension, a necessary precursor to password generation. Our research begins to address this gap by focusing on users’ comprehension of password generation rules. Varying terms—special characters, symbols, non-alphanumeric characters, and punctuation—are used in different password rules, but mostly without explicit definition. In this laboratory study, we used character-selection and compliance-checking tasks with 60 participants to investigate effects of varying terms on users’ password rule comprehension. Results show that manipulating terminology caused participants’ interpretation of the allowed character space to shrink or expand. Our quantitative and qualitative data show that participants were extremely confused by the variety of terms for “special character.” Seemingly small changes in language have large, observable impacts on users’ understanding of password rules. Language in password requirements must be carefully constructed to ensure that users fully comprehend the allowable character space. This research is an important first step to providing data-driven guidance on constructing clearer language for password rules.