Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Password policy languages: usable translation from the informal to the formal

Published

Author(s)

Michelle P. Steves, Mary F. Theofanos, Celia Paulsen, Athos Ribeiro

Abstract

Password policies – documents which regulate how users must create, manage, and change their passwords – can have complex and unforeseen consequences on organizational security. Since these policies regulate user behavior, users must be clear as to what is expected of them. Unfortunately, current policies are written in language that is often ambiguous. To tackle ambiguity, we previously developed a formal language for stating what behavior is and is not allowed when creating, managing, and changing passwords. Unfortunately manual translation of the policy to this formal language is time consuming and error prone. This work focuses on providing an interface for end users to generate accurate models of their interpretations of a password policy to aid in password policy research, formalization, and ultimately more usable password policies. This paper describes the requirements, design, high-level application features, application validation, user testing, and a discussion of how this work is expected to progress.
Proceedings Title
3rd International Conference on Human Aspects of Information Security, Privacy and Trust
Conference Dates
August 2-7, 2015
Conference Location
Los Angeles, CA
Conference Title
17th International Conference on Human-Computer Interaction

Keywords

Usable security, password policy, question-answer system, policy workbench, formal language, XML

Citation

Steves, M. , Theofanos, M. , Paulsen, C. and Ribeiro, A. (2015), Password policy languages: usable translation from the informal to the formal, 3rd International Conference on Human Aspects of Information Security, Privacy and Trust, Los Angeles, CA, [online], https://doi.org/10.1007/978-3-319-20376-8_11 (Accessed June 23, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created July 21, 2015, Updated November 10, 2018