Password Composition Policy: Does Enforcement Lead to Better Password Choices?

The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.

[1]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[2]  Muxiang Zhang Breaking an improved password authenticated key exchange protocol for imbalanced wireless networks , 2005, IEEE Commun. Lett..

[3]  Mark Taylor,et al.  One born every minute , 2005 .

[4]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 1 , 1989, Comput. Secur..

[5]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 2 , 1989, Comput. Secur..

[6]  Dee-Ann Leblanc Fedora Core 5 , 2006 .

[7]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[8]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[9]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[10]  Daniel V. Klein Defending Against the Wily Surfer-Web-based Attacks and Defenses , 1999, Workshop on Intrusion Detection and Network Monitoring.

[11]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[12]  Timothy Paul Cronan,et al.  Have you met your organization's computer usage policy? , 2005, Ind. Manag. Data Syst..

[13]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[14]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[15]  Ronald F. DeMara,et al.  Evaluation of the Human Impact of Password Authentication , 2004, Informing Sci. Int. J. an Emerg. Transdiscipl..

[16]  Steven Furnell,et al.  Authentication and Supervision: A Survey of User Attitudes , 2000, Comput. Secur..

[17]  Al Bento,et al.  Empirical Test of a Hacking Model: An Exploratory Study , 2004, Commun. Assoc. Inf. Syst..

[18]  Graham A. Stephen String Searching Algorithms , 1994, Lecture Notes Series on Computing.

[19]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[20]  Gregory B. White,et al.  Principles of Computer Security: Security+ and Beyond , 2004 .

[21]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .