research-article

The true cost of unusable password policies: password use in the wild

Authors:

Philip G. Inglesant,

M. Angela SasseAuthors Info & Claims

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 383 - 392

https://doi.org/10.1145/1753326.1753384

Published: 10 April 2010 Publication History

Abstract

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today.

32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use.

We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation.

We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.

References

[1]

Adams, A. and Sasse, M.A. Users Are Not The Enemy. Communications of the ACM 42, 12 (December 1999), 41--46.

Digital Library

[2]

Allan, A. Passwords Are Near the Breaking Point: Gartner Research Note (2004). http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf.

[3]

Beautement, A., Sasse, M.A., and Wonham, M. The Compliance Budget: Managing Security Behaviour in Organisations. In Proc. NSPW 2008, ACM Press (2009), 47--58.

Digital Library

[4]

Brostoff, S. and Sasse, M.A. Safe and Sound: A Safety-Critical Approach to Security. In Proc. NSPW 2001 (2001), 41--50.

Digital Library

[5]

Brown, B.A.T., Sellen, A.J., and O'Hara, K.P. A Diary Study of Information Capture in Working Life. In Proc. CHI 2000, ACM Press (2000), 438--445.

Digital Library

[6]

Charmaz, K. Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis, SAGE Publications, London, UK, 2006.

[7]

Dourish, P., Grinter, R.E., Delgado de la Flor, J., and Joseph, M. Security in the wild: user strategies for managing security as an everyday, practical problem. Personal and Ubiquitous Computing 8, 6 (2004), 391--401.

[8]

Electric Alchemy Cracking Passwords in the Cloud: Insights on Password Policies http://news.electricalchemy.net/2009/10/passwordcracking-in-cloud-part-5.html.

[9]

Federal Information Processing Standards Publication 112: Password Usage (Withdrawn February 2008) (1985) http://www.itl.nist.gov/fipspubs/fip112.htm.

[10]

Florêncio, D. and Herley, C.A. Large-Scale Study of Web Password Habits. In Proc. WWW 2007, ACM Press (2007), 657--666.

Digital Library

[11]

Florêncio, D., Herley, C., and Coskun, B. Do Strong Web Passwords Accomplish Anything? In Proc. HotSec'07, USENIX Association (2007), Article No. 10.

Digital Library

[12]

Herley, C. So Long and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In NSPW 2009.

Digital Library

[13]

Morris, R. and Thompson, K. Password security: a case history. Communications of the ACM 22, 11 (November 1979), 594--597.

Digital Library

[14]

National Institute of Science and Technology NIST Special Publication 800--118: Guide to Enterprise Password Management (Draft): Recommendations of the National Institute of Standards and Technology (2009). http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.

[15]

Palen, L. and Salzman, M. Voice-Mail Diary Studies for Naturalistic Data Capture under Mobile Conditions. In Proc. CSCW 2002, ACM Press (2002), 87--95.

Digital Library

[16]

Sasse, M.A., Brostoff, S., and Weirich, D. Transforming the 'weakest link' -- a human/computer interaction approach to usable and effective security. BT Technology Journal 19, 3 (July 2001), 122--131.

Digital Library

[17]

Schneier, B. Secrets and Lies: Digital Security in a Networked World, Wiley, Indianapolis, IN, USA (2000).

Digital Library

[18]

Schneier, B. Write Down Your Password (2005). http://www.schneier.com/blog/archives/2005/06/write_down_your.html.

[19]

Scientific Software Development, 2006, 'ATLAS.ti The Knowledge Workbench'.

[20]

Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., and Furlong, M. Password Sharing: Implications for Security Design Based on Social Practice. In Proc. CHI 2007, ACM Press (2007), 895--904.

Digital Library

[21]

Trust Economics. http://www.trust-economics.org/.

[22]

Yan, J., Blackwell, A., Anderson, R., and Grant, A. Password Memorability and Security: Empirical Results. IEEE Security & Privacy 2, 5 (September/October 2004), 25--31.

Digital Library

[23]

Zviran, M. and Haga, W.J. Password Security: An Empirical Study. Journal of Management Information Systems 15, 4 (Spring 1999), 161--185.

Digital Library

Cited By

Moh PYang AMalkin NMazurek MKelley PKapadia A(2024)Understanding how people share passwordsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696911(219-237)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696911
Zimmermann VSchöni LSchaltegger TAmbuehl BKnieps MEbert N(2024)Human-Centered Cybersecurity Revisited: From Enemies to PartnersCommunications of the ACM10.1145/366566567:11(72-81)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3665665
Paudel RAl-Ameen M(2024)Priming through Persuasion: Towards Secure Password BehaviorProceedings of the ACM on Human-Computer Interaction10.1145/36373878:CSCW1(1-27)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637387
Show More Cited By

Index Terms

The true cost of unusable password policies: password use in the wild

Recommendations

Designing Password Policies for Strength and Usability

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...
Pocket Password Book (Password): A discreet internet password organizer

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2010

2690 pages

ISBN:9781605589299

DOI:10.1145/1753326

General Chair:
Elizabeth Mynatt
Georgia Institute of Technology
,
Program Chairs:
Geraldine Fitzpatrick
Vienna University of Technology
,
Scott Hudson
Carnegie Mellon University
,
Keith Edwards
Georgia Tech
,
Tom Rodden
University of Nottingham

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '10

Sponsor:

SIGCHI

CHI '10: CHI Conference on Human Factors in Computing Systems

April 10 - 15, 2010

Georgia, Atlanta, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

209
Total Citations
View Citations
4,134
Total Downloads

Downloads (Last 12 months)243
Downloads (Last 6 weeks)27

Reflects downloads up to 09 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Moh PYang AMalkin NMazurek MKelley PKapadia A(2024)Understanding how people share passwordsProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696911(219-237)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696911
Zimmermann VSchöni LSchaltegger TAmbuehl BKnieps MEbert N(2024)Human-Centered Cybersecurity Revisited: From Enemies to PartnersCommunications of the ACM10.1145/366566567:11(72-81)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3665665
Paudel RAl-Ameen M(2024)Priming through Persuasion: Towards Secure Password BehaviorProceedings of the ACM on Human-Computer Interaction10.1145/36373878:CSCW1(1-27)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637387
Lassak LMarkert PGolla MStobert EDürmuth M(2024)A Comparative Long-Term Study of Fallback Authentication SchemesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642889(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642889
Bai WBlocki JAmeri M(2024)Cost-asymmetric memory hard password hashingInformation and Computation10.1016/j.ic.2023.105134297:COnline publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1016/j.ic.2023.105134
Sridevi MNirmala A(2024)Strong Password Checker Security and PrivacyProceedings of the 5th International Conference on Data Science, Machine Learning and Applications; Volume 210.1007/978-981-97-8043-3_169(1099-1103)Online publication date: 20-Oct-2024
https://doi.org/10.1007/978-981-97-8043-3_169
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Challenges of Usable PrivacyThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_4(103-131)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_4
Umejiaku ADhakal PSheng V(2023)Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password GenerationElectronics10.3390/electronics1210215912:10(2159)Online publication date: 9-May-2023
https://doi.org/10.3390/electronics12102159
Ariana MGrant HStefan SGeoffrey M. V(2023)An Empirical Analysis of Enterprise-Wide Mandatory Password UpdatesProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627198(150-162)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627198
Murray HMalone D(2023)Costs and Benefits of Authentication AdviceACM Transactions on Privacy and Security10.1145/358803126:3(1-35)Online publication date: 13-May-2023
https://dl.acm.org/doi/10.1145/3588031
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents