Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Designing password policies for strength and usability
Shay R., Komanduri S., Durity A., Huh P., Mazurek M., Segreti S., Ur B., Bauer L., Christin N., Cranor L. ACM Transactions on Information and System Security18 (4):Article No. 13,2016.Type:Article
Date Reviewed: Jun 27 2017

Have you ever wondered why some websites use really annoying password policies? Or have you been responsible for designing a password policy for your organization, and been caught between the users’ demands for easy-to-remember passwords and the demand for strong security? It has been long thought that you have to trade between these two.

This paper analyzes a number of password policies--and comes with recommendations that make passwords both easy to remember (and create in the first place) and secure. Interestingly, requiring multiple (three to four) character classes does not make the passwords so secure against guessing, even though it comes at a significant cost in terms of the users’ ability to create and remember such passwords. Length leads users to creating stronger passwords, but long passwords alone can still be easy to guess (“passwordpassword”). At least some safeguards (either via patterns or blacklists of substrings indicative of weak passwords) are required to make such passwords secure (that is, hard to guess).

This paper builds on analysis of publicly available databases of real passwords, as well as on studies conducted by the authors on volunteer subjects. The paper provides robust statistical analyses if you need the evidence to justify a policy you are authoring--and is an interesting and educational read on its own.

Reviewer:  Vladimir Mencl Review #: CR145380 (1709-0618)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
 
 
Authentication (D.4.6 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Authentication": Date
Showing credentials without identification: transferring signatures between unconditionally unlinkable pseudonyms
Chaum D. (ed)  Advances in cryptology (, Sydney, Australia, Jan 8-11, 1990)2641990. Type: Proceedings
Jan 1 1992
Some constructions and bounds for authentication codes
Stinson D.  Advances in cryptology--CRYPTO ’86 (, Santa Barbara, CA, Aug 11-15, 1987)4251987. Type: Proceedings
Sep 1 1988
A pauper’s callback scheme
Bishop M. Computers and Security 5(2): 141-144, 1986. Type: Article
Mar 1 1987
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy