Richard Shay
Saranga Komanduri
Patrick Gage Kelley
Lujo Bauer
Lorrie Faith Cranor
ABSTRACT
Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.
- M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.Google Scholar
Digital Library
- W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, National Institute of Standards and Technology, 2006.Google Scholar
- D. Florencio and C. Herley. A large-scale study of web password habits. In International conference on World Wide Web, page 666, 2007. Google ScholarDigital Library
- E. F. Gehringer. Choosing passwords: security and human factors. International Symposium on Technology and Society, 2002, pages 369--373, 2002.Google ScholarCross Ref
- D. Hart. Attitudes and practices of students towards password security. Journal of Computing Sciences in Colleges, 23(5):169--174, 2008. Google ScholarDigital Library
- C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In New Security Paradigms Workshop, pages 133--144, 2009. Google ScholarDigital Library
- P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In ACM Conference on Human Factors in Computing Systems 2010, pages 383--392, 2010. Google ScholarDigital Library
- M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. International journal of human-computer studies, 65(1):17--28, 2007. Google ScholarDigital Library
- S. Komanduri and D. R. Hutchings. Order and entropy in picture passwords. In Graphics Interface, pages 115--122, 2008. Google ScholarDigital Library
- C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Symposium on Usable Privacy and Security, pages 67--78, 2006. Google ScholarDigital Library
- J. Leyden. Office workers give away passwords for a cheap pen. The Register, 2003.Google Scholar
- J. L. Massey. Guessing and entropy. In IEEE International Symposium on Information Theory, page 204, 1994.Google ScholarCross Ref
- G. Miller. Note on the bias of information estimates. Information Theory in Psychology: Problems and Methods, pages 95--100, 1955.Google Scholar
- R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers, 34(2):163--169, 2002.Google Scholar
- RSA. Rsa security survey reveals multiple passwords creating security risks and end user frustration. http://www.rsa.com/press_release.aspx?id=6095, September 2010.Google Scholar
- SafeNet. 2004 annual password survey results. SafeNet, 2005.Google Scholar
- M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link'---a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001. Google ScholarDigital Library
- B. Schneier. Write down your password. http://www.schneier.com/blog/archives/2005/06/write_down_your.html, June 2005.Google Scholar
- C. E. Shannon. A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), 1949. Google ScholarDigital Library
- R. Shay and E. Bertino. A comprehensive simulation tool for the analysis of password policies. International Journal of Information Security, 8(4):275--289, 2009. Google ScholarDigital Library
- R. Shay, A. Bhargav-Spantzel, and E. Bertino. Password policy simulation and analysis. In ACM workshop on Digital identity management, pages 1--10, 2007. Google ScholarDigital Library
- W. C. Summers and E. Bosworth. Password policy: the good, the bad, and the ugly. In Winter international synposium on Information and communication technologies, pages 1--6, 2004. Google ScholarDigital Library
- K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, and J. Cook. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65(8):744--757, 2007. Google ScholarDigital Library
- M. Zviran and W. J. Haga. Password security: an empirical study. Journal of Management Information Systems, 15(4):161--185, 1999. Google ScholarDigital Library
Index Terms
- Encountering stronger password requirements: user attitudes and behaviors
Recommendations
Of passwords and people: measuring the effect of password-composition policies
CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsText-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Surpass: System-initiated User-replaceable Passwords
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecuritySystem-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated password scheme ...
Comments