Can Long Passwords Be Secure and Usable?
Authors: Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti

Date: April 2014
Publication: Proceedings of the 2014 SIGCHI Conference on Human Factors in Computing Systems, CHI '14
Page(s): 2927 - 2936
Publisher: ACM
Source 1:
Source 2:
Source 3: - Subscription or payment required

Abstract or Summary:
To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has suggested, however, that policies requiring longer passwords with fewer additional requirements can be more usable and in some cases more secure than this traditional policy. To explore long passwords in more detail, we conducted an online experiment with 8,143 participants. Using a cracking algorithm modified for longer passwords, we evaluate eight policies across a variety of metrics for strength and usability. Among the longer policies, we discover new evidence for a security/usability tradeoff, with none being strictly better than another on both dimensions. However, several policies are both more usable and more secure that the traditional policy we tested. Our analyses additionally reveal common patterns and strings found in cracked passwords. We discuss how system administrators can use these results to improve password-composition policies. Note: Additional unlisted authors are Blasť Ur, Luho Bauer, Nicolas Christin, Lorrie Faith Cranor

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019