Revisiting password rules: facilitating human management of passwords

Password rules were established in the context of past security concerns. Recent work in computer security challenges the conventional wisdom of expert password advice, such as change your passwords often, do not reuse your passwords, or do not write your passwords down. The effectiveness of these rules for protecting user accounts against real world attacks is questioned. We review the latest research examining password rules for general-purpose user authentication on the web, and discuss the arguments behind the continued acceptance or the rejection of the rules based on empirical evidence and solid justifications. Following the review, we recommend an updated set of password rules.

[1]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[2]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[3]  L. Jean Camp,et al.  Mental models of privacy and security , 2009, IEEE Technology and Society Magazine.

[4]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[5]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[6]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[7]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[8]  Aaron Smith,et al.  Teens, Kindness and Cruelty on Social Network Sites , 2011 .

[9]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[10]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[11]  William Cheswick Rethinking Passwords , 2012 .

[12]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[13]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[14]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Paul C. van Oorschot,et al.  On countering online dictionary attacks with login histories and humans-in-the-loop , 2006, TSEC.

[16]  Joseph Kaye Self-reported password sharing strategies , 2011, CHI.

[17]  Fort George G. Meade,et al.  Department of Defense Password Management Guidelines , 1985 .

[18]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[19]  P. V. Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[20]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[21]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[22]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[23]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[24]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[26]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[27]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[28]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[29]  Robert Biddle,et al.  Password advice shouldn't be boring: Visualizing password guessing attacks , 2013, 2013 APWG eCrime Researchers Summit.

[30]  W. H. F. Barnes The Nature of Explanation , 1944, Nature.

[31]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[32]  Emmanuel Aroms,et al.  NIST Special Publication 800-63 Electronic Authentication Guideline , 2012 .

[33]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[34]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[35]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[36]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[37]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[38]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[39]  Paul C. van Oorschot,et al.  Quantifying the security advantage of password expiration policies , 2015, Des. Codes Cryptogr..

[40]  Mary Beth Rosson,et al.  Looking for trouble: understanding end-user security management , 2007, CHIMIT '07.

[41]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[42]  L. Jean Camp,et al.  Mental Models of Security Risks , 2007, Financial Cryptography.