Why we hate IT: two surveys on pre-generated and expiring passwords in an academic setting

We performed two surveys to understand how members of a university managed their passwords. At password creation, the university offered people four pre-generated random passwords, with the option of creating their own subject to stringent requirements. All passwords expired after 120days. We found that most respondents chose to create their own password and utilized coping strategies that undermined the security of the requirements, as well as reporting that the expiration times were too short. We also attempt to connect these behaviors to respondents' other password habits and demographics. We conclude that pre-generated random passwords, stringent password requirements, and rapid password expiration dates are unusable security requirements for most people and lead users to subvert password requirements and reuse passwords. Copyright © 2015 John Wiley & Sons, Ltd.

[1]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[2]  Hilary Johnson,et al.  Rational security: Modelling everyday password use , 2012, Int. J. Hum. Comput. Stud..

[3]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[4]  Naveen Kumar PASSWORD IN PRACTICE: AN USABILITY SURVEY , 2011 .

[5]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[6]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[7]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[8]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[9]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[10]  Nicolas Christin,et al.  It's All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice , 2011, Financial Cryptography.

[11]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[12]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[13]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[14]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[16]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[17]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[18]  John Campbell,et al.  User Behaviours Associated with Password Security and Management , 2006, Australas. J. Inf. Syst..

[19]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.