NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Of Passwords and People: Measuring the Effect of Password-Composition Policies

Published

Author(s)

Serge M. Egelman, Saranga Komanduri, Richard Shay, Patrick G. Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie F. Cranor

Abstract

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., including symbols and numbers) to guide users in creating passwords. Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across five password-composition policies. We statistically characterize the predictability of passwords, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We also correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.
Proceedings Title
CHI '11: Proceedings of the SIGCHI conference on Human Factors in Computing Systems
Conference Dates
May 7-12, 2011
Conference Location
Vancouver
Conference Title
CHI 2011
Pub Type
Conferences

Download Paper

Local Download

Keywords

Security, Usability, Passwords, Policy
Cybersecurity and privacy

Citation

Egelman, S. , Komanduri, S. , Shay, R. , Kelley, P. , Mazurek, M. , Bauer, L. , Christin, N. and Cranor, L. (2011), Of Passwords and People: Measuring the Effect of Password-Composition Policies, CHI '11: Proceedings of the SIGCHI conference on Human Factors in Computing Systems, Vancouver, -1, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=907615 (Accessed October 25, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created May 11, 2011, Updated February 19, 2017
Was this page helpful?