Of passwords and people: measuring the effect of password-composition policies

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

[1]  Ga Miller,et al.  Note on the bias of information estimates , 1955 .

[2]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[3]  Charles F. Hockett,et al.  A mathematical theory of communication , 1948, MOCO.

[4]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[5]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[6]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[7]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[8]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[9]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[10]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[11]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[12]  Elisa Bertino,et al.  A comprehensive simulation tool for the analysis of password policies , 2009, International Journal of Information Security.

[13]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[14]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[15]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[16]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[17]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[18]  Liam Paninski,et al.  Estimation of Entropy and Mutual Information , 2003, Neural Computation.

[19]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[20]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[21]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[22]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.