Abstract
Modern organizations rely on passwords for preventing illicit access to valuable data and resources. A well designed password policy helps users create and manage more effective passwords. This paper offers a novel model and tool for understanding, creating, and testing password policies. We present a password policy simulation model which incorporates such factors as simulated users, accounts, and services. This model and its implementation enable administrators responsible for creating and managing password policies to test them before giving them to actual users. It also allows researchers to test how different password policy factors impact security, without the time and expense of actual human studies. We begin by presenting our password policy simulation model. We next discuss prior work and validate the model by showing how it is consistent with previous research conducted on human users. We then present and discuss experimental results derived using the model.
Similar content being viewed by others
References
Bishop M., V.Klein D.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)
Gehringer, E.F.: Choosing passwords: security and human factors. In: Technology and Society, 2002. (ISTAS’02), pp. 369373 (2002)
Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: SOUPS ’06: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM Press, New York (2006). doi:10.1145/1143120.1143129
Leyden, J.: Office workers give away passwords for a cheap pen. The Register (2003). http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Proctor R.W., Lien M.C., Vu K.P.L., Schultz E.E., Salvendy G.: Improving computer security for authentication of users: influence of proactive password restrictions. Behav. Res. Methods Instrum. Comput. 34(2), 163–169 (2002)
Robert M. Polstra, I.: A case study on how to manage the theft of information. In: InfoSecCD ’05: Proceedings of the 2nd Annual Conference on Information Security Curriculum Development, pp. 135–138. ACM Press, New York (2005). doi:10.1145/1107622.1107653
SafeNet: 2004 annual password survey results. SafeNet (2005). http://www.safenet-inc.com/Library/10/2004passwordsurveyresults.pdf
Sasse M.A., Brostoff S., Weirich D.: Transforming the ’weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). doi:10.1023/A:1011902718709
Shannon C.E.: Prediction and entropy of printed English. Bell Syst. Tech. J. 30, 50–64 (1951)
Shay, R., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: DIM ’07: Proceedings of the 2007 ACM Workshop on Digital Identity Management, pp. 1–10. ACM, New York (2007). doi:10.1145/1314403.1314405
Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: WISICT ’04: Proceedings of the Winter International Symposium on Information and Communication Technologies, pp. 1–6. Trinity College, Dublin (2004)
Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. (2007)
Yan, J.J.: A note on proactive password checking. In: NSPW ’01: Proceedings of the 2001 Workshop on New Security Paradigms, pp. 127–135. ACM Press, New York (2001). doi:10.1145/508171.508194
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Shay, R., Bertino, E. A comprehensive simulation tool for the analysis of password policies. Int. J. Inf. Secur. 8, 275–289 (2009). https://doi.org/10.1007/s10207-009-0084-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-009-0084-3