research-article

Open access

Designing Password Policies for Strength and Usability

Authors:

Saranga Komanduri,

Adam L. Durity,

Phillip (Seyoung) Huh,

Michelle L. Mazurek,

Sean M. Segreti,

Nicolas Christin,

Lorrie Faith CranorAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 18, Issue 4

Article No.: 13, Pages 1 - 34

https://doi.org/10.1145/2891411

Published: 06 May 2016 Publication History

Abstract

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.

References

[1]

Farzaneh Asgharpour, Debin Liu, and L. Jean Camp. 2007. Mental models of computer security risks. In Proc. WEIS.

[2]

Chris Baraniuk. 2015. Ashley Madison: Two women explain how hack changed their lives. BBC Retrieved from http://www.bbc.co.uk/news/technology-34072762.

[3]

Bob Beeman. 2004. Using “grep” (a UNIX utility) for Solving Crosswords and Word Puzzle. Retrieved from http://www.bee-man.us/computer/grep/grep.htm#web2.

[4]

Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2015. Version 1.2 of Argon2. Retrieved from https://password-hashing.net/submissions/specs/Argon-v3.pdf.

[5]

Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233--249.

Digital Library

[6]

Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symp. Security & Privacy.

Digital Library

[7]

Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security & Privacy.

Digital Library

[8]

Joseph Bonneau and Ekaterina Shutova. 2012. Linguistic properties of multi-word passphrases. In Proc. USEC.

Digital Library

[9]

Thorsten Brantz and Alex Franz. 2006. The Google Web 1T 5-Gram Corpus. Technical Report. Linguistic Data Consortium.

[10]

William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. 2011. Electronic Authentication Guideline. Technical Report. NIST.

Digital Library

[11]

William E. Burr, Donna F. Dodson, and W. Timothy Polk. 2006. Electronic Authentication Guideline. Technical Report. NIST.

[12]

Jan Camenisch, Anja Lehmann, and Gregory Neven. 2015. Optimal distributed password verification. In Proc. CCS.

Digital Library

[13]

Carnegie Mellon University. 2015. Password Guessability Service. Retrieved from https://pgs.ece.cmu.edu.

[14]

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Proc. NDSS.

[15]

Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. CCS.

Digital Library

[16]

Dave Engberg. 2013. Security Notice: Service-wide Password Reset. Retreived from http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/.

[17]

Experian. 2014. Illegal Web Trade of Personal Information Soars to Record Highs. Retrieved from https://www.experianplc.com/media/news/2014/illegal-web-trade-of-personal-information-soars-to-record-highs/.

[18]

Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the ecological validity of a password study. In Proc. SOUPS.

Digital Library

[19]

Dinei Florêncio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. WWW.

Digital Library

[20]

Dinei Florêncio and Cormac Herley. 2010. Where do security policies come from? In Proc. SOUPS.

Digital Library

[21]

Dinei Florêncio, Cormac Herley, and Paul van Oorschot. 2014. An administrator’s guide to internet password research. In Proc. USENIX LISA.

Digital Library

[22]

Dinei Florêncio, Cormac Herley, and Paul Van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proc. USENIX Security.

Digital Library

[23]

Warwick Ford and Burton S. Kaliski Jr. 2000. Server-assisted generation of a strong secret from a password. In Proc. WET ICE.

Digital Library

[24]

Dan Goodin. 2012. Hackers expose 453,000 credentials allegedly taken from Yahoo service. Retrieved from http://arstechnica.com/security/2012/07/yahoo-service-hacked/.

[25]

Dan Goodin. 2015. Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked. Ars Technica. Retrieved from http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/.

[26]

Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW. 133--144.

Digital Library

[27]

Cormac Herley and Paul Van Oorschot. 2012. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy 10, 1 (2012), 28--36.

[28]

Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim, Konstantin Beznosov, Apurva Mohan, and S Raj Rajagopalan. 2015. Surpass: System-initiated user-replaceable passwords. In Proc. CCS. ACM.

Digital Library

[29]

Philip Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: Password use in the wild. In Proc. CHI.

Digital Library

[30]

InsidePro. 2005. Dictionaries. Retrieved from http://forum.insidepro.com/viewtopic.php?t=34331. (2005).

[31]

Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making password-cracking detectable. In Proc. CCS.

Digital Library

[32]

Mark Keith, Benjamin Shao, and Paul Steinbart. 2009. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 63--89.

[33]

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy.

Digital Library

[34]

Saranga Komanduri. 2016. Modeling the Adversary to Evaluate Password Strengh with Limited Samples. Ph.D. Dissertation. Carnegie Mellon University. CMU-ISR-16-101.

[35]

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI.

Digital Library

[36]

Greg Kumparak. 2013. Vudu Headquarters Robbed, Hard Drives With Private Customer Data Stolen. Retrieved from http://techcrunch.com/2013/04/09/vudu-headquarters-robbed-hard-drives-with-private-customer-data-stolen/.

[37]

Bob Lord. 2013. Keeping our users secure. Retrieved from http://blog.twitter.com/2013/02/keeping-our-users-secure.html.

[38]

Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symp. Security & Privacy.

Digital Library

[39]

Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proc. CCS.

Digital Library

[40]

William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proc. CHI.

Digital Library

[41]

Colin Percival. 2009. Stronger Key Derivation Via Sequential Memory-Hard Functions. http://www.tarsnap.com/scrypt/scrypt.pdf. (2009).

[42]

Nicole Perlroth. 2013. LivingSocial Hack Exposes Data for 50 Million Customers. Retrieved from http://bits.blogs.nytimes.com/2013/04/26/living-social-hack-exposes-data-for-50-million-customers/.

[43]

John O. Pliam. 2000. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Proc. INDOCRYPT.

Digital Library

[44]

Niels Provos and David Mazieres. 1999. A future-adaptable password scheme. In Proc. USENIX ATC.

Digital Library

[45]

Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proc. CODASPY.

Digital Library

[46]

Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. MUM.

Digital Library

[47]

Bruce Schneier. 2006. MySpace Passwords Aren’t So Dumb. Retrieved from http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300.

[48]

SCOWL. 2015. Spell Checker Oriented Word Lists. Retrieved from http://wordlist.sourceforge.net.

[49]

Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In Proc. CHI.

Digital Library

[50]

Richard Shay, Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2014. “My religious aunt asked why I was trying to sell her Viagra”: Experiences with account hijacking. In Proc. CHI.

Digital Library

[51]

Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS.

Digital Library

[52]

Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip Seyoung Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable? In Proc. CHI.

Digital Library

[53]

Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS.

Digital Library

[54]

Jens Steube. 2015. Hashcat. Retrieved from https://hashcat.net/oclhashcat/.

[55]

Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proc. SOUPS.

[56]

Elizabeth Stobert and Robert Biddle. 2015. Expert password management. In Proc. Passwords.

[57]

Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security.

Digital Library

[58]

Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, and Timothy Vidas. 2013. Poster: The art of password creation. In IEEE Symp. Security & Privacy (Posters).

[59]

Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015a. “I Added ‘!’ at the end to make it secure”: Observing Password Creation in the Lab. In Proc. SOUPS.

[60]

Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015b. Measuring real-world accuracies and biases in modeling password guessability. In Proc. USENIX Security.

Digital Library

[61]

Ashlee Vance. 2010. If Your Password Is 123456, Just Make It HackMe. The New York Times, http://www.nytimes.com/2010/01/21/technology/21password.html. (January 21, 2010).

[62]

Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proc. NDSS.

[63]

Rafael Veras, Julie Thorpe, and Christopher Collins. 2012. Visualizing semantics in passwords: The role of dates. In Proc. VizSec.

Digital Library

[64]

Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, I shrunk the keys: Influences of mobile devices on password composition and authentication performance. In Proc. NordiCHI.

Digital Library

[65]

Rick Wash. 2010. Folk models of home computer security. In Proc. SOUPS.

Digital Library

[66]

Charles Matthew Weir. 2010. Using Probabilistic Techniques To Aid In Password Cracking Attacks. Ph.D. Dissertation.

[67]

Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS.

Digital Library

[68]

Matt Weir, Sudhir Aggarwal, Breno de Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symp. Security & Privacy.

Digital Library

[69]

Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text entry method affects password security. In Proc. LASER.

[70]

Anjie Zheng. 2015. VTech Has Yet to Put a Price on Hack, Chairman Says. Wall Street Journal. Retrieved from http://www.wsj.com/articles/vtech-has-yet-to-put-a-price-on-hack-chairman-says-1449556689. (December 8, 2015).

Cited By

Vanila SBeaulah Jeyavathana Rathinam AElango K(2024)Enhancing Password Security With Machine Learning-Based Strength Assessment TechniquesMachine Learning and Cryptographic Solutions for Data Protection and Network Security10.4018/979-8-3693-4159-9.ch018(296-314)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-4159-9.ch018
He DLiu ZZhu SChan SGuizani M(2024)Special Characters Usage and Its Effect on Password SecurityIEEE Internet of Things Journal10.1109/JIOT.2024.336732311:11(19440-19453)Online publication date: 1-Jun-2024
https://doi.org/10.1109/JIOT.2024.3367323
Thai BTanaka H(2024)A statistical Markov-based password strength meterInternet of Things10.1016/j.iot.2023.10105725(101057)Online publication date: Apr-2024
https://doi.org/10.1016/j.iot.2023.101057
Show More Cited By

Index Terms

Designing Password Policies for Strength and Usability
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...
The true cost of unusable password policies: password use in the wild
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in ...
Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 18, Issue 4

May 2016

88 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2928292

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2016 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 May 2016

Accepted: 01 February 2016

Revised: 01 December 2015

Received: 01 May 2015

Published in TISSEC Volume 18, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

78
Total Citations
View Citations
9,082
Total Downloads

Downloads (Last 12 months)1,503
Downloads (Last 6 weeks)208

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vanila SBeaulah Jeyavathana Rathinam AElango K(2024)Enhancing Password Security With Machine Learning-Based Strength Assessment TechniquesMachine Learning and Cryptographic Solutions for Data Protection and Network Security10.4018/979-8-3693-4159-9.ch018(296-314)Online publication date: 31-May-2024
https://doi.org/10.4018/979-8-3693-4159-9.ch018
He DLiu ZZhu SChan SGuizani M(2024)Special Characters Usage and Its Effect on Password SecurityIEEE Internet of Things Journal10.1109/JIOT.2024.336732311:11(19440-19453)Online publication date: 1-Jun-2024
https://doi.org/10.1109/JIOT.2024.3367323
Thai BTanaka H(2024)A statistical Markov-based password strength meterInternet of Things10.1016/j.iot.2023.10105725(101057)Online publication date: Apr-2024
https://doi.org/10.1016/j.iot.2023.101057
Woods NSiponen M(2024)How memory anxiety can influence password security behaviorComputers and Security10.1016/j.cose.2023.103589137:COnline publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103589
Wan TShi RXu WLi YAtkinson KYu LLiang H(2024)Hands-free multi-type character text entry in virtual realityVirtual Reality10.1007/s10055-023-00902-z28:1Online publication date: 3-Jan-2024
https://dl.acm.org/doi/10.1007/s10055-023-00902-z
Umejiaku ADhakal PSheng V(2023)Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password GenerationElectronics10.3390/electronics1210215912:10(2159)Online publication date: 9-May-2023
https://doi.org/10.3390/electronics12102159
Kazimierczak MThanapattheerakul TChan J(2023)Enhancing Security in WhatsApp: A System for Detecting Malicious and Inappropriate ContentProceedings of the 12th International Symposium on Information and Communication Technology10.1145/3628797.3628966(274-281)Online publication date: 7-Dec-2023
https://dl.acm.org/doi/10.1145/3628797.3628966
Alroomi SLi FMeng WJensen CCremers CKirda E(2023)Measuring Website Password Creation Policies At ScaleProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623156(3108-3122)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623156
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Alotaibi NWilliamson JKhamis M(2023)ThermoSecure: Investigating the Effectiveness of AI-Driven Thermal Attacks on Commonly Used Computer KeyboardsACM Transactions on Privacy and Security10.1145/356369326:2(1-24)Online publication date: 13-Mar-2023
https://dl.acm.org/doi/10.1145/3563693
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents