research-article

Encountering stronger password requirements: user attitudes and behaviors

Authors:

Saranga Komanduri,

Patrick Gage Kelley,

Pedro Giovanni Leon,

Michelle L. Mazurek,

Nicolas Christin,

Lorrie Faith CranorAuthors Info & Claims

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

Article No.: 2, Pages 1 - 20

https://doi.org/10.1145/1837110.1837113

Published: 14 July 2010 Publication History

Abstract

Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users' opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users' behavior in response to those rules.

References

[1]

M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.

Digital Library

[2]

W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, National Institute of Standards and Technology, 2006.

[3]

D. Florencio and C. Herley. A large-scale study of web password habits. In International conference on World Wide Web, page 666, 2007.

Digital Library

[4]

E. F. Gehringer. Choosing passwords: security and human factors. International Symposium on Technology and Society, 2002, pages 369--373, 2002.

[5]

D. Hart. Attitudes and practices of students towards password security. Journal of Computing Sciences in Colleges, 23(5):169--174, 2008.

Digital Library

[6]

C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In New Security Paradigms Workshop, pages 133--144, 2009.

Digital Library

[7]

P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In ACM Conference on Human Factors in Computing Systems 2010, pages 383--392, 2010.

Digital Library

[8]

M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. International journal of human-computer studies, 65(1):17--28, 2007.

Digital Library

[9]

S. Komanduri and D. R. Hutchings. Order and entropy in picture passwords. In Graphics Interface, pages 115--122, 2008.

Digital Library

[10]

C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Symposium on Usable Privacy and Security, pages 67--78, 2006.

Digital Library

[11]

J. Leyden. Office workers give away passwords for a cheap pen. The Register, 2003.

[12]

J. L. Massey. Guessing and entropy. In IEEE International Symposium on Information Theory, page 204, 1994.

[13]

G. Miller. Note on the bias of information estimates. Information Theory in Psychology: Problems and Methods, pages 95--100, 1955.

[14]

R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers, 34(2):163--169, 2002.

[15]

RSA. Rsa security survey reveals multiple passwords creating security risks and end user frustration. http://www.rsa.com/press_release.aspx?id=6095, September 2010.

[16]

SafeNet. 2004 annual password survey results. SafeNet, 2005.

[17]

M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link'---a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001.

Digital Library

[18]

B. Schneier. Write down your password. http://www.schneier.com/blog/archives/2005/06/write_down_your.html, June 2005.

[19]

C. E. Shannon. A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), 1949.

Digital Library

[20]

R. Shay and E. Bertino. A comprehensive simulation tool for the analysis of password policies. International Journal of Information Security, 8(4):275--289, 2009.

Digital Library

[21]

R. Shay, A. Bhargav-Spantzel, and E. Bertino. Password policy simulation and analysis. In ACM workshop on Digital identity management, pages 1--10, 2007.

Digital Library

[22]

W. C. Summers and E. Bosworth. Password policy: the good, the bad, and the ugly. In Winter international synposium on Information and communication technologies, pages 1--6, 2004.

Digital Library

[23]

K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, and J. Cook. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65(8):744--757, 2007.

Digital Library

[24]

M. Zviran and W. J. Haga. Password security: an empirical study. Journal of Management Information Systems, 15(4):161--185, 1999.

Digital Library

Cited By

Shukla MBojja SJayakrishnan GBanahatti VLodha S(2025)Using Graph Analysis for Evaluating Usability of Software-Based Keyboard for Password CreationHuman-Computer Interaction. Design and Research10.1007/978-3-031-80829-6_10(215-239)Online publication date: 14-Feb-2025
https://doi.org/10.1007/978-3-031-80829-6_10
Moh PYang AMalkin NMazurek MKelley PKapadia A(2024)Understanding how people share passwordsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696911(219-237)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696911
Albarrak A(2024)Integration of Cybersecurity, Usability, and Human-Computer Interaction for Securing Energy Management SystemsSustainability10.3390/su1618814416:18(8144)Online publication date: 18-Sep-2024
https://doi.org/10.3390/su16188144
Show More Cited By

Index Terms

Encountering stronger password requirements: user attitudes and behaviors
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Of passwords and people: measuring the effect of password-composition policies
CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Surpass: System-initiated User-replaceable Passwords
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated password scheme ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

July 2010

236 pages

ISBN:9781450302647

DOI:10.1145/1837110

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2010 Copyright is held by the author/owner.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SOUPS '10

Sponsor:

Carnegie Mellon University

SOUPS '10: Symposium on Usable Privacy and Security

July 14 - 16, 2010

Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

203
Total Citations
View Citations
3,104
Total Downloads

Downloads (Last 12 months)183
Downloads (Last 6 weeks)14

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shukla MBojja SJayakrishnan GBanahatti VLodha S(2025)Using Graph Analysis for Evaluating Usability of Software-Based Keyboard for Password CreationHuman-Computer Interaction. Design and Research10.1007/978-3-031-80829-6_10(215-239)Online publication date: 14-Feb-2025
https://doi.org/10.1007/978-3-031-80829-6_10
Moh PYang AMalkin NMazurek MKelley PKapadia A(2024)Understanding how people share passwordsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696911(219-237)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696911
Albarrak A(2024)Integration of Cybersecurity, Usability, and Human-Computer Interaction for Securing Energy Management SystemsSustainability10.3390/su1618814416:18(8144)Online publication date: 18-Sep-2024
https://doi.org/10.3390/su16188144
Paudel RAl-Ameen M(2024)Priming through Persuasion: Towards Secure Password BehaviorProceedings of the ACM on Human-Computer Interaction10.1145/36373878:CSCW1(1-27)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637387
Zhu LWang D(2024)Robust Multi-Factor Authentication for WSNs With Dynamic Password RecoveryIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.345136419(8398-8413)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3451364
Han JWong DFu ZKang B(2024)AuthZit: Personalized Visual-Spatial and Loci-Tagging Fallback Authentication2024 IEEE 29th Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC63035.2024.00025(120-130)Online publication date: 13-Nov-2024
https://doi.org/10.1109/PRDC63035.2024.00025
Su XZhu XLi YLi YChen CEsteves-Veríssimo P(2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00049
Wan TShi RXu WLi YAtkinson KYu LLiang H(2024)Hands-free multi-type character text entry in virtual realityVirtual Reality10.1007/s10055-023-00902-z28:1Online publication date: 3-Jan-2024
https://dl.acm.org/doi/10.1007/s10055-023-00902-z
Sridevi MNirmala A(2024)Strong Password Checker Security and PrivacyProceedings of the 5th International Conference on Data Science, Machine Learning and Applications; Volume 210.1007/978-981-97-8043-3_169(1099-1103)Online publication date: 20-Oct-2024
https://doi.org/10.1007/978-981-97-8043-3_169
Moran MSzymczak AHart AKennison SChan-Tin E(2024)Deep Dive on Relationship Between Personality and Password CreationInformation Security and Privacy10.1007/978-981-97-5028-3_20(393-411)Online publication date: 15-Jul-2024
https://dl.acm.org/doi/10.1007/978-981-97-5028-3_20
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten