Impact of restrictive composition policy on user password choices

Behaviour and Information Technology

Volumn 30, Issue 3, 2011, Pages 379-388

  Campbell, John ^a   Ma, Wanli ^a   Kleeman, Dale ^a  

^a UNIVERSITY OF CANBERRA   (Australia)

Author keywords

computer security; password authentication; password composition policy

Indexed keywords

COMPUTER RESOURCES; COMPUTER SECURITY; MANAGEMENT PRACTICES; PASSWORD AUTHENTICATION; PASSWORD COMPOSITION POLICY; PASSWORD SECURITY; PASSWORD-BASED SYSTEMS; PRIMARY FUNCTIONS; USER AUTHENTICATION; USER BEHAVIOUR;

AUTHENTICATION; INFORMATION USE; SECURITY OF DATA; SECURITY SYSTEMS;

BEHAVIORAL RESEARCH;

EID: 79956068379     PISSN: 0144929X     EISSN: 13623001     Source Type: Journal    
DOI: 10.1080/0144929X.2010.492876     Document Type: Article

References (36)

1. Aytes, K. and Connolly, T., 2004. Computer security and risky computer practices: a rational choice perspective. Journal of Organizational and End-User Computing, 16 (3), 22-40.
2. Boukhonine, S., Krotov, V., and Rupert, B., 2005. Future security approaches and biometrics. Communications of the Association for Information Systems, 16 (48), 937-966.
3. Bryant, K. and Campbell, J., 2006. User behaviours associated with password security and management. Australasian Journal of Information Systems, 14 (1), 81-100.
4. Campbell, J., Kleeman, D., and Ma, W., 2007. The good and not so good of enforcing password composition rules. Information Systems Security, 16 (1), 2-8.
5. Carstens, D.S., et al., 2004. Evaluation of the human impact of password authentication practices on information security. Informing Science Journal, 7 (1), 67-85. (Pubitemid 40659984)
6. Conklin, A., Dietrich, G., and Walz, D., 2004a. Passwordbased authentication: a system perspective. In: Proceedings of the 37th Hawaii International Conference on System Sciences, Hawaii, USA.
7. Conklin, A., et al., 2004b. Principles of computer security: security + and beyond. New York, NY: McGraw-Hill.
8. Cowan, N., Chen, Z., and Rouder, J.N., 2004. Constant capacity in an immediate serial-recall task: a logical sequel to Miller (1956). Psychological Science, 15 (9), 634-640. (Pubitemid 39234380)
9. Fedora, 2009. Fedora core 5 [online]. Available from: http:// docs.fedoraproject.org/release-notes/fc5/release-notes-ISO/ [Accessed 20 January 2009].
10. Foltz, C.B., Cronan, T.P., and Jones, T.W., 2005. Have you met your organization's computer usage policy? Industrial Management & Data Systems, 105 (2), 137-146. (Pubitemid 40682971)
11. Frederick, S., 2002. Automated choice heuristics. In: T. Gilovich, D. Griffin, and D. Kahneman, eds. Heuristics and biases: the psychology of intuitive judgment. New York, NY: Cambridge University Press, 548-558.
12. Furnell, S.M., et al., 2000. Authentication and supervision: a survey of user attitudes. Computers & Security, 19 (6), 529-539.
13. Furnell, S.M., Papadopoulos, I., and Dowland, P., 2004. A long-term trial of alternative user authentication technologies. Information Management & Computer Security, 12 (2), 178-190.
14. Irakleous, I., et al., 2002. An experimental comparison of secret-based user authentication technologies. Information Management & Computer Security, 10 (3), 100-108. (Pubitemid 34773231)
15. Ives, B., Walsh, K.R., and Schneider, H., 2004. The domino effect of password reuse. Communications of the ACM, 47 (4), 75-78.
16. Kahneman, D. and Frederick, S., 2002. Representativeness revisited: attribute substitution in intuitive judgment. In: T. Gilovich, D. Griffin, and D. Kahneman, eds. Heuristics and biases: the psychology of intuitive judgment. New York, NY: Cambridge University Press, 49-81.
17. Levenshtein, V., 1965. Binary codes capable of correcting deletions, insertions, and reversals. Problems in Information Transmission, 1, 8-17.
18. Microsoft, 2009. Forcing strong password usage throughout your organization [online]. Available form: http://technet. microsoft.com/en-us/ library/cc875814.aspx [Accessed 20 January 2009].
19. Miller, G.A., 1956. The magical number seven, plus or minus two: some limits on our capacity for processing information. Psychological Review, 63, 81-97.
20. Piscitello, D. and Kent, S., 2003. The sad and increasingly deplorable state of internet security. Business Communications Review, February, 49-53.
21. Pfleeger, C.P. and Pfleeger, S.L., 2003. Security in computing. 3rd ed. New York, NY: Prentice Hall.
22. Proctor, R.W., et al., 2002. Improving computer security for authentication of users: influence of proactive password restrictions. Behaviour Research Methods, Instruments & Computers, 34 (2), 163-169.
23. Renaud, L. and Ramsay, J., 2007. Now what was that password again? A more flexible way of identifying and authenticating our seniors. Behaviour & Information Technology, 26 (4), July-August, 309-322. (Pubitemid 47171546)
24. Rhodes, K., 2004. Operations security awareness: the mind has no firewall. Computer Security Journal, 16 (2), 27-36.
25. Rubinstein, A., 1998. Modeling bounded rationality. Cambridge, MA: MIT Press.
26. Simon, H.A., 1976. Administrative behavior: a study of decision-making processes in administrative organization. 3rd ed. New York, NY: Free Press.
27. Straub, D., 1990. Discovering and disciplining computer abuse in organizations: a field study. MIS Quarterly, 14 (1), 45-57.
28. Straub, D. and Welke, R., 1998. Coping with systems risk: security planning models for management decision making. MIS Quarterly, 22 (4), 441-469.
29. Tam, L., Glassman, M., and Vandenwauver, M., 2010. The psychology of password management: a tradeoff between security and convenience. Behaviour & Information Technology, 29 (3), 233-244.
30. Trcek, D., et al., 2007. Information systems security and human behaviour. Behaviour & Information Technology, 26 (2), 113-118. (Pubitemid 46472136)
31. Tversky, A. and Kahneman, D., 1974. Judgment under uncertainty: heuristics and biases. Science, 185, 1124-1131.
32. Vu, K.L., et al., 2007. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, 65, 744-757.
33. Warkentin, M., Davis, K., and Bekkering, E., 2004. Introducing the check-off password systems (COPS): an advancement in user authentication methods and information security. Journal of Organizational and End User Computing, 16 (3), 41-58.
34. Williamson, O., 1985. The economic institution of capitalism. New York, NY: Free Press.
35. Yan, J., et al., 2004. Password memorability and security: empirical results. IEEE Security and Privacy, September/ October, 25-30.
36. Zviran, M. and Haga, W.J., 1999. Password security: an empirical study. Journal of Management Information Systems, 15 (4), 161-185. (Pubitemid 32716609)