Of passwords and people: Measuring the effect of password-composition policies

Conference on Human Factors in Computing Systems - Proceedings

Volumn , Issue , 2011, Pages 2595-2604

  Komanduri, Saranga ^a   Shay, Richard ^a   Kelley, Patrick Gage ^a   Mazurek, Michelle L ^a   Bauer, Lujo ^a   Christin, Nicolas ^a   Cranor, Lorrie Faith ^a   Egelman, Serge ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   (United States)

Author keywords

Passwords; Policy; Security; Usability

Indexed keywords

AUTHENTICATION; NETWORK SECURITY;

LARGE-SCALE STUDIES; PASSWORD; PASSWORD COMPOSITION POLICIES; PASSWORD STRENGTH; SECURITY; STRONG PASSWORD; SYSTEM ADMINISTRATORS; USABILITY; USER BEHAVIORS;

BEHAVIORAL RESEARCH;

EID: 79958161706     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1978942.1979321     Document Type: Conference Paper

References (23)

1. A. Adams, M. A. Sasse, and P. Lunt. Making passwords secure and usable. In HCI 97, 1997.
2. M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233-249, 1995.
3. J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In Proc. (online) of WEIS'10, June 2010.
4. W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, NIST, 2006.
5. D. Florêncio and C. Herley. A large-scale study of web password habits. In Proc. WWW'07, 2007.
6. D. Florêncio and C. Herley. Where do security policies come from? In Proc. SOUPS '10, 2010.
7. P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In Proc. ACM CHI'10, pages 383-392, 2010.
8. B. Ives, K. R. Walsh, and H. Schneider. The domino effect of password reuse. C. ACM, 47(4):75-78, 2004.
9. J. L. Massey. Guessing and entropy. In Proc. IEEE ISIT'94, page 204, 1994.
10. G. Miller. Note on the bias of information estimates. Info. Th. Psych.: Problems and Methods, 1955.
11. L. Paninski. Estimation of entropy and mutual information. Neural Comp., 15(6):1191-1253, 2003. (Pubitemid 37049793)
12. R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers, 34(2):163-169, 2002.
13. S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec'10, 2010.
14. C. E. Shannon. A mathematical theory of communication. ACM SIGMOBILE Mobile Comp. Comm. Rev., 5(1), 1949.
15. C. E. Shannon. Prediction and entropy of printed english. Bell Systems Tech. J., 30:50-64, 1951.
16. R. Shay and E. Bertino. A comprehensive simulation tool for the analysis of password policies. Int. J. Info. Sec., 8(4):275-289, 2009.
17. R. Shay, S. Komanduri, P. Kelley, P. Leon, M. Mazurek, L. Bauer, N. Christin, and L. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS'10, 2010.
18. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Comp. & Security, 24(2):124 - 133, 2005. (Pubitemid 40583824)
19. A. Vance. If your password is 123456, just make it hackme. New York Times, http://www.nytimes.com/2010/01/21/technology/21password.html, January 2010, retrieved September 2010.
20. K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, and J. Cook. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies, 65(8):744-757, 2007. (Pubitemid 46824074)
21. M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 162-175, New York, NY, USA, 2010. ACM.
22. Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. ACM CCS'10, 2010.
23. M. Zviran and W. J. Haga. Password security: an empirical study. J. Mgt. Info. Sys., 15(4):161-185, 1999. (Pubitemid 32716609)