Designing Password Policies for Strength and Usability

Authors:
Richard Shay

MIT Lincoln Laboratory†

MIT Lincoln Laboratory†
View Profile

,
Saranga Komanduri

Carnegie Mellon University

Carnegie Mellon University
View Profile

,
Adam L. Durity

Google†

Google†
View Profile

,
Phillip (Seyoung) Huh

Electronics and Telecommunications Research Institute (ETRI), Daejeon, South Korea

Electronics and Telecommunications Research Institute (ETRI), Daejeon, South Korea
View Profile

,
Michelle L. Mazurek

University of Maryland, College Park, MD

University of Maryland, College Park, MD
View Profile

,
Sean M. Segreti

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Blase Ur

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Lujo Bauer

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Nicolas Christin

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Lorrie Faith Cranor

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

ACM Transactions on Information and System Security Volume 18 Issue 4Article No.: 13pp 1–34https://doi.org/10.1145/2891411

Published:06 May 2016Publication History

ACM Transactions on Information and System Security

Abstract

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.

References

Farzaneh Asgharpour, Debin Liu, and L. Jean Camp. 2007. Mental models of computer security risks. In Proc. WEIS.Google Scholar
Chris Baraniuk. 2015. Ashley Madison: Two women explain how hack changed their lives. BBC Retrieved from http://www.bbc.co.uk/news/technology-34072762.Google Scholar
Bob Beeman. 2004. Using “grep” (a UNIX utility) for Solving Crosswords and Word Puzzle. Retrieved from http://www.bee-man.us/computer/grep/grep.htm#web2.Google Scholar
Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2015. Version 1.2 of Argon2. Retrieved from https://password-hashing.net/submissions/specs/Argon-v3.pdf.Google Scholar
Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233--249. Google ScholarDigital Library
Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
Joseph Bonneau and Ekaterina Shutova. 2012. Linguistic properties of multi-word passphrases. In Proc. USEC. Google ScholarDigital Library
Thorsten Brantz and Alex Franz. 2006. The Google Web 1T 5-Gram Corpus. Technical Report. Linguistic Data Consortium.Google Scholar
William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. 2011. Electronic Authentication Guideline. Technical Report. NIST. Google ScholarDigital Library
William E. Burr, Donna F. Dodson, and W. Timothy Polk. 2006. Electronic Authentication Guideline. Technical Report. NIST. Google Scholar
Jan Camenisch, Anja Lehmann, and Gregory Neven. 2015. Optimal distributed password verification. In Proc. CCS. Google ScholarDigital Library
Carnegie Mellon University. 2015. Password Guessability Service. Retrieved from https://pgs.ece.cmu.edu.Google Scholar
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Proc. NDSS.Google ScholarCross Ref
Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. CCS. Google ScholarDigital Library
Dave Engberg. 2013. Security Notice: Service-wide Password Reset. Retreived from http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/.Google Scholar
Experian. 2014. Illegal Web Trade of Personal Information Soars to Record Highs. Retrieved from https://www.experianplc.com/media/news/2014/illegal-web-trade-of-personal-information-soars-to-record-highs/.Google Scholar
Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the ecological validity of a password study. In Proc. SOUPS. Google ScholarDigital Library
Dinei Florêncio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. WWW. Google ScholarDigital Library
Dinei Florêncio and Cormac Herley. 2010. Where do security policies come from? In Proc. SOUPS. Google ScholarDigital Library
Dinei Florêncio, Cormac Herley, and Paul van Oorschot. 2014. An administrator’s guide to internet password research. In Proc. USENIX LISA. Google ScholarDigital Library
Dinei Florêncio, Cormac Herley, and Paul Van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proc. USENIX Security. Google ScholarDigital Library
Warwick Ford and Burton S. Kaliski Jr. 2000. Server-assisted generation of a strong secret from a password. In Proc. WET ICE. Google ScholarDigital Library
Dan Goodin. 2012. Hackers expose 453,000 credentials allegedly taken from Yahoo service. Retrieved from http://arstechnica.com/security/2012/07/yahoo-service-hacked/.Google Scholar
Dan Goodin. 2015. Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked. Ars Technica. Retrieved from http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/.Google Scholar
Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW. 133--144. Google ScholarDigital Library
Cormac Herley and Paul Van Oorschot. 2012. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy 10, 1 (2012), 28--36. Google ScholarCross Ref
Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim, Konstantin Beznosov, Apurva Mohan, and S Raj Rajagopalan. 2015. Surpass: System-initiated user-replaceable passwords. In Proc. CCS. ACM. Google ScholarDigital Library
Philip Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: Password use in the wild. In Proc. CHI. Google ScholarDigital Library
InsidePro. 2005. Dictionaries. Retrieved from http://forum.insidepro.com/viewtopic.php?t=34331. (2005).Google Scholar
Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making password-cracking detectable. In Proc. CCS. Google ScholarDigital Library
Mark Keith, Benjamin Shao, and Paul Steinbart. 2009. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 63--89.Google ScholarCross Ref
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
Saranga Komanduri. 2016. Modeling the Adversary to Evaluate Password Strengh with Limited Samples. Ph.D. Dissertation. Carnegie Mellon University. CMU-ISR-16-101.Google Scholar
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI. Google ScholarDigital Library
Greg Kumparak. 2013. Vudu Headquarters Robbed, Hard Drives With Private Customer Data Stolen. Retrieved from http://techcrunch.com/2013/04/09/vudu-headquarters-robbed-hard-drives-with-private-customer-data-stolen/.Google Scholar
Bob Lord. 2013. Keeping our users secure. Retrieved from http://blog.twitter.com/2013/02/keeping-our-users-secure.html.Google Scholar
Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proc. CCS. Google ScholarDigital Library
William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proc. CHI. Google ScholarDigital Library
Colin Percival. 2009. Stronger Key Derivation Via Sequential Memory-Hard Functions. http://www.tarsnap.com/scrypt/scrypt.pdf. (2009).Google Scholar
Nicole Perlroth. 2013. LivingSocial Hack Exposes Data for 50 Million Customers. Retrieved from http://bits.blogs.nytimes.com/2013/04/26/living-social-hack-exposes-data-for-50-million-customers/.Google Scholar
John O. Pliam. 2000. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Proc. INDOCRYPT. Google ScholarDigital Library
Niels Provos and David Mazieres. 1999. A future-adaptable password scheme. In Proc. USENIX ATC. Google ScholarDigital Library
Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proc. CODASPY. Google ScholarDigital Library
Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. MUM. Google ScholarDigital Library
Bruce Schneier. 2006. MySpace Passwords Aren’t So Dumb. Retrieved from http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300.Google Scholar
SCOWL. 2015. Spell Checker Oriented Word Lists. Retrieved from http://wordlist.sourceforge.net.Google Scholar
Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In Proc. CHI. Google ScholarDigital Library
Richard Shay, Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2014. “My religious aunt asked why I was trying to sell her Viagra”: Experiences with account hijacking. In Proc. CHI. Google ScholarDigital Library
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS. Google ScholarDigital Library
Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip Seyoung Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable? In Proc. CHI. Google ScholarDigital Library
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS. Google ScholarDigital Library
Jens Steube. 2015. Hashcat. Retrieved from https://hashcat.net/oclhashcat/.Google Scholar
Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proc. SOUPS.Google Scholar
Elizabeth Stobert and Robert Biddle. 2015. Expert password management. In Proc. Passwords.Google Scholar
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security. Google ScholarDigital Library
Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, and Timothy Vidas. 2013. Poster: The art of password creation. In IEEE Symp. Security & Privacy (Posters).Google Scholar
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015a. “I Added ‘!’ at the end to make it secure”: Observing Password Creation in the Lab. In Proc. SOUPS.Google Scholar
Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015b. Measuring real-world accuracies and biases in modeling password guessability. In Proc. USENIX Security. Google ScholarDigital Library
Ashlee Vance. 2010. If Your Password Is 123456, Just Make It HackMe. The New York Times, http://www.nytimes.com/2010/01/21/technology/21password.html. (January 21, 2010).Google Scholar
Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proc. NDSS.Google ScholarCross Ref
Rafael Veras, Julie Thorpe, and Christopher Collins. 2012. Visualizing semantics in passwords: The role of dates. In Proc. VizSec. Google ScholarDigital Library
Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, I shrunk the keys: Influences of mobile devices on password composition and authentication performance. In Proc. NordiCHI. Google ScholarDigital Library
Rick Wash. 2010. Folk models of home computer security. In Proc. SOUPS. Google ScholarDigital Library
Charles Matthew Weir. 2010. Using Probabilistic Techniques To Aid In Password Cracking Attacks. Ph.D. Dissertation.Google Scholar
Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS. Google ScholarDigital Library
Matt Weir, Sudhir Aggarwal, Breno de Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text entry method affects password security. In Proc. LASER.Google Scholar
Anjie Zheng. 2015. VTech Has Yet to Put a Price on Hack, Chairman Says. Wall Street Journal. Retrieved from http://www.wsj.com/articles/vtech-has-yet-to-put-a-price-on-hack-chairman-says-1449556689. (December 8, 2015).Google Scholar

Index Terms

Designing Password Policies for Strength and Usability
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...
Read More
The true cost of unusable password policies: password use in the wild
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in ...
Read More
Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Users generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Information and System Security Volume 18, Issue 4
May 2016
88 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2928292
Editor:
David Basin
ETH Zurich, Switzerland
Issue’s Table of Contents
Copyright © 2016 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 May 2016
- Accepted: 1 February 2016
- Revised: 1 December 2015
- Received: 1 May 2015
Published in tissec Volume 18, Issue 4

Check for updates
Author Tags
Passwords
authentication
password-composition policy
usable security
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 76
  Total Citations
  View Citations
- 8,595
  Total Downloads
- Downloads (Last 12 months)1,419
- Downloads (Last 6 weeks)315
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Designing Password Policies for Strength and Usability

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

Do Differences in Password Policies Prevent Password Reuse?

The true cost of unusable password policies: password use in the wild

Revisiting graphical passwords for augmenting, not replacing, text passwords