The Good and Not So Good of Enforcing Password Composition Rules

ABSTRACT Many systems rely on password composition rules to force users to choose more secure passwords. The findings discussed here are from a study on the enforcement of good password practice in the form of password composition rules. The results show that the enforcement of password composition rules does not discourage users from using meaningful information in passwords. While composition rules reduce password reuse, the overall incidence remains high. Passwords created under these conditions are also perceived to be more difficult to remember. Nevertheless, the enforcement of password composition rules does significantly improve protection against dictionary-based attack.

[1]  Al Bento,et al.  Empirical Test of a Hacking Model: An Exploratory Study , 2004, Commun. Assoc. Inf. Syst..

[2]  Ronald F. DeMara,et al.  Evaluation of the Human Impact of Password Authentication , 2004, Informing Sci. Int. J. an Emerg. Transdiscipl..

[3]  Gregory B. White,et al.  Principles of Computer Security: Security+ and Beyond , 2004 .

[4]  Muxiang Zhang Breaking an improved password authenticated key exchange protocol for imbalanced wireless networks , 2005, IEEE Commun. Lett..

[5]  Steven Furnell,et al.  Authentication and Supervision: A Survey of User Attitudes , 2000, Comput. Secur..

[6]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[7]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[8]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[9]  Graham A. Stephen String Searching Algorithms , 1994, Lecture Notes Series on Computing.

[10]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[11]  Vlad Krotov,et al.  Future Security Approaches and Biometrics , 2005, Commun. Assoc. Inf. Syst..

[12]  Daniel V. Klein Defending Against the Wily Surfer-Web-based Attacks and Defenses , 1999, Workshop on Intrusion Detection and Network Monitoring.

[13]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[14]  David Piscitello The Sad And Increasingly Deplorable State Of Internet Security , 2007 .

[15]  W W BAUER ONE BORN EVERY MINUTE. , 1964, Rocky Mountain medical journal.

[16]  Timothy Paul Cronan,et al.  Have you met your organization's computer usage policy? , 2005, Ind. Manag. Data Syst..