Skip to main content

A comprehensive simulation tool for the analysis of password policies

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Modern organizations rely on passwords for preventing illicit access to valuable data and resources. A well designed password policy helps users create and manage more effective passwords. This paper offers a novel model and tool for understanding, creating, and testing password policies. We present a password policy simulation model which incorporates such factors as simulated users, accounts, and services. This model and its implementation enable administrators responsible for creating and managing password policies to test them before giving them to actual users. It also allows researchers to test how different password policy factors impact security, without the time and expense of actual human studies. We begin by presenting our password policy simulation model. We next discuss prior work and validate the model by showing how it is consistent with previous research conducted on human users. We then present and discuss experimental results derived using the model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Bishop M., V.Klein D.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)

    Article  Google Scholar 

  2. Gehringer, E.F.: Choosing passwords: security and human factors. In: Technology and Society, 2002. (ISTAS’02), pp. 369373 (2002)

  3. Kuo, C., Romanosky, S., Cranor, L.F.: Human selection of mnemonic phrase-based passwords. In: SOUPS ’06: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 67–78. ACM Press, New York (2006). doi:10.1145/1143120.1143129

  4. Leyden, J.: Office workers give away passwords for a cheap pen. The Register (2003). http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/

  5. Proctor R.W., Lien M.C., Vu K.P.L., Schultz E.E., Salvendy G.: Improving computer security for authentication of users: influence of proactive password restrictions. Behav. Res. Methods Instrum. Comput. 34(2), 163–169 (2002)

    Google Scholar 

  6. Robert M. Polstra, I.: A case study on how to manage the theft of information. In: InfoSecCD ’05: Proceedings of the 2nd Annual Conference on Information Security Curriculum Development, pp. 135–138. ACM Press, New York (2005). doi:10.1145/1107622.1107653

  7. SafeNet: 2004 annual password survey results. SafeNet (2005). http://www.safenet-inc.com/Library/10/2004passwordsurveyresults.pdf

  8. Sasse M.A., Brostoff S., Weirich D.: Transforming the ’weakest link’—a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001). doi:10.1023/A:1011902718709

    Article  Google Scholar 

  9. Shannon C.E.: Prediction and entropy of printed English. Bell Syst. Tech. J. 30, 50–64 (1951)

    MATH  Google Scholar 

  10. Shay, R., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: DIM ’07: Proceedings of the 2007 ACM Workshop on Digital Identity Management, pp. 1–10. ACM, New York (2007). doi:10.1145/1314403.1314405

  11. Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: WISICT ’04: Proceedings of the Winter International Symposium on Information and Communication Technologies, pp. 1–6. Trinity College, Dublin (2004)

  12. Vu, K.P.L., Proctor, R.W., Bhargav-Spantzel, A., Tai, B.L.B., Cook, J.: Improving password security and memorability to protect personal and organizational information. Int. J. Hum. Comput. Stud. (2007)

  13. Yan, J.J.: A note on proactive password checking. In: NSPW ’01: Proceedings of the 2001 Workshop on New Security Paradigms, pp. 127–135. ACM Press, New York (2001). doi:10.1145/508171.508194

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Richard Shay.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Shay, R., Bertino, E. A comprehensive simulation tool for the analysis of password policies. Int. J. Inf. Secur. 8, 275–289 (2009). https://doi.org/10.1007/s10207-009-0084-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-009-0084-3

Keywords