Of passwords and people: measuring the effect of password-composition policies
Author(s): Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Serge Egelman

Date: May 2011
Publication: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI '11
Page(s): 2595 - 2604
Publisher: ACM
Source 1: http://cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf
Source 2: http://dl.acm.org/citation.cfm?id=1979321 - Subscription or payment required

Abstract or Summary:
Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

PasswordResearch.com Note: Additional authors listed for this paper: Nicolas Christin and Lorrie Faith Cranor.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com