C Appendix: Codebook
Code categories are shown in bold type, with the list of codes
in that category following. For a more detailed version with
code descriptions, see https://osf.io/6u7m8/.
• Account type:
shopping, banking, utilities, email, social
media, healthcare, work, school, other
• Account number:
less than 10, 10-15, 16-20, 21-30,
31-50, 51-100, more than 100
• Account importance: all accounts important, financial
accounts, accounts with PII, work accounts, Facebook,
email, other
• Accounts accessed daily
: accounts accessed daily (sin-
gle code to used only identify snippet where participant
gave estimate of this number)
• Password composition:
use passwords of equal
strength, stronger passwords for more important ac-
counts, disposable/weaker passwords for unimportant
accounts, unique passwords for all accounts, unique pass-
words for important accounts, use shared substrings, use
randomly generated, use passphrase, use words related
to website type, use 2FA for more important accounts
• Devices and browsers used:
iPhone/Safari,
iPhone/Chrome, iPhone/Firefox, iPhone/other,
iPad/Safari, iPad/Chrome, iPad/Firefox, Win-
dows/Chrome, Windows/Firefox, Windows/Edge,
Windows/IE, Mac/Safari, Mac/Chrome, Mac/Firefox,
Android/Chrome, Android/Firefox, Android/other,
Linux/Chrome, Linux/Firefox, Linux/other
• Passwords typed daily: 0, 1-2, 5, other number
• Passwords saved: never, unimportant accounts,
• Exceptions to password reuse:
set by someone else,
need to share, use old password, forced change, password
requirements, other
• Exceptions to password reuse: method of remember-
ing exception password: write down, other
• Action when password is rejected due to password
creation requirement:
add required characters, regen-
erate new password, remove forbidden characters, other
• Password creation process:
same password for all ac-
counts, use generator, one password per “tier” of ac-
counts, use memorable personal info, other
• Current password management:
synced file, guessing
variations / resetting, physical notes, local file, memory,
third-party PM, keychain, browser, fingerprint, not sure,
other
• Password management: satisfied?:
satisfied, not satis-
fied, not sure
• Password management likes (non-PM methods):
al-
ways accessible locally, easy to remember, other
• Password management dislikes (non-PM methods):
potential to lose, hard to remember, other
• Had compromised account: yes, no, I don’t know
• Compromised account action:
major/total change to
compromised password, minimal change to compro-
mised password, contact support, change passwords for
accounts with same email, stronger password, other
• Had data breach: yes, no, I don’t know
• Data breach action:
change password, contact support,
change passwords for accounts with same email, other
• Aware of password managers?: aware, not aware
• Not use PM reason:
not many accounts, not aware of
PMs, not much to protect, security concerns, master pass-
word concerns, past negative experience, other
• Heard of PM from:
work, media, other people, I don’t
know, other
• PM definition:
store/organize passwords, unique pass-
words, generate random passwords, no need to memo-
rize, improve security, autofill, I don’t know, other
• Use PM time:
less than 1 year, about 1 year, multiple
years
• Use PM device:
all, non-shared, computers only not
phones, tablets, etc.
• Start using PM reason:
convenience, memory limita-
tions, receive prompts, security, other
• PM like function:
autofill, generate strong passwords,
no memorizing, syncing, unique passwords, view pass-
words, desktop client, other
• PM dislike reason:
incompatible device, saved un-
wanted passwords, cannot view passwords, generates
passwords with unacceptable symbols, other
• PM feature request:
PM feature request (single code
used to tag all snippets referring to features that partici-
pants wished PMs had)
• PM switch strategy: gradually, change all at start
• Use PM to store info other than website passwords:
use PM for application passwords, use PM for other info
(e.g. credit cards)
• Master password unique: yes, no
• Master password composition:
random, passphrase,
other
• Uses 2FA in combination with master password
: yes
(single code only used for participants who reported
using this combination)
• Pays for PM (if using) or willing to pay (if not using
a PM)?:
yes (currently pays or would pay), no (does not
pay / would not pay), depends
• Function that would convince them to pay for PM
:
2FA (single code, no other specific functions mentioned)
• Not pay for PM reason:
already using free version,
other
• Pay for PM price:
$5 or less per month, depends, other
• PM dashboard:
has used, has not used, not available in
their PM (as self-reported)
• Exceptions, PM users: certain passwords not stored
in PM:
infrequently used, habit, multiple accounts, per-
sonal info, shared computer, email, financial, old account
• PM generator:
not aware, aware / does not use, aware
USENIX Association Fifteenth Symposium on Usable Privacy and Security 337