|
Can Long Passwords Be Secure and Usable?
Date: April 2014 Publication: Proceedings of the 2014 SIGCHI Conference on Human Factors in Computing Systems, CHI '14 Page(s): 2927 - 2936 Publisher: ACM Source 1: http://www.blaseur.com/papers/chi2014-longpasswords.pdf Source 2: http://lorrie.cranor.org/pubs/longpass-chi2014.pdf Source 3: http://dx.doi.org/10.1145/2556288.2557377 - Subscription or payment required Abstract or Summary:
To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has suggested, however, that policies requiring longer passwords with fewer additional requirements can be more usable and in some cases more secure than this traditional policy. To explore long passwords in more detail, we conducted an online experiment with 8,143 participants. Using a cracking algorithm modified for longer passwords, we evaluate eight policies across a variety of metrics for strength and usability. Among the longer policies, we discover new evidence for a security/usability tradeoff, with none being strictly better than another on both dimensions. However, several policies are both more usable and more secure that the traditional policy we tested. Our analyses additionally reveal common patterns and strings found in cracked passwords. We discuss how system administrators can use these results to improve password-composition policies. PasswordResearch.com Note: Additional unlisted authors are Blasé Ur, Luho Bauer, Nicolas Christin, Lorrie Faith Cranor
Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |