Philip G. Inglesant
ABSTRACT
HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today.
32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use.
We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation.
We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.
- Adams, A. and Sasse, M.A. Users Are Not The Enemy. Communications of the ACM 42, 12 (December 1999), 41--46. Google Scholar
Digital Library
- Allan, A. Passwords Are Near the Breaking Point: Gartner Research Note (2004). http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf.Google Scholar
- Beautement, A., Sasse, M.A., and Wonham, M. The Compliance Budget: Managing Security Behaviour in Organisations. In Proc. NSPW 2008, ACM Press (2009), 47--58. Google ScholarDigital Library
- Brostoff, S. and Sasse, M.A. Safe and Sound: A Safety-Critical Approach to Security. In Proc. NSPW 2001 (2001), 41--50. Google ScholarDigital Library
- Brown, B.A.T., Sellen, A.J., and O'Hara, K.P. A Diary Study of Information Capture in Working Life. In Proc. CHI 2000, ACM Press (2000), 438--445. Google ScholarDigital Library
- Charmaz, K. Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis, SAGE Publications, London, UK, 2006.Google Scholar
- Dourish, P., Grinter, R.E., Delgado de la Flor, J., and Joseph, M. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing 8, 6 (2004), 391--401. Google ScholarCross Ref
- Electric Alchemy Cracking Passwords in the Cloud: Insights on Password Policies http://news.electricalchemy.net/2009/10/passwordcracking-in-cloud-part-5.html.Google Scholar
- Federal Information Processing Standards Publication 112: Password Usage (Withdrawn February 2008) (1985) http://www.itl.nist.gov/fipspubs/fip112.htm.Google Scholar
- Florêncio, D. and Herley, C.A. Large-Scale Study of Web Password Habits. In Proc. WWW 2007, ACM Press (2007), 657--666. Google ScholarDigital Library
- Florêncio, D., Herley, C., and Coskun, B. Do Strong Web Passwords Accomplish Anything? In Proc. HotSec'07, USENIX Association (2007), Article No. 10. Google ScholarDigital Library
- Herley, C. So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In NSPW 2009. Google ScholarDigital Library
- Morris, R. and Thompson, K. Password security: a case history. Communications of the ACM 22, 11 (November 1979), 594--597. Google ScholarDigital Library
- National Institute of Science and Technology NIST Special Publication 800--118: Guide to Enterprise Password Management (Draft): Recommendations of the National Institute of Standards and Technology (2009). http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.Google Scholar
- Palen, L. and Salzman, M. Voice-Mail Diary Studies for Naturalistic Data Capture under Mobile Conditions. In Proc. CSCW 2002, ACM Press (2002), 87--95. Google ScholarDigital Library
- Sasse, M.A., Brostoff, S., and Weirich, D. Transforming the 'weakest link' -- a human/computer interaction approach to usable and effective security. BT Technology Journal 19, 3 (July 2001), 122--131. Google ScholarDigital Library
- Schneier, B. Secrets and Lies: Digital Security in a Networked World, Wiley, Indianapolis, IN, USA (2000). Google ScholarDigital Library
- Schneier, B. Write Down Your Password (2005). http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google Scholar
- Scientific Software Development, 2006, 'ATLAS.ti The Knowledge Workbench'.Google Scholar
- Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., and Furlong, M. Password Sharing: Implications for Security Design Based on Social Practice. In Proc. CHI 2007, ACM Press (2007), 895--904. Google ScholarDigital Library
- Trust Economics. http://www.trust-economics.org/.Google Scholar
- Yan, J., Blackwell, A., Anderson, R., and Grant, A. Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2, 5 (September/October 2004), 25--31. Google ScholarDigital Library
- Zviran, M. and Haga, W.J. Password Security: An Empirical Study. Journal of Management Information Systems 15, 4 (Spring 1999), 161--185. Google ScholarDigital Library
Index Terms
- The true cost of unusable password policies: password use in the wild
Recommendations
Designing Password Policies for Strength and Usability
Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing SystemsPassword policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...
Comments