Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Of Passwords and People: Measuring the Effect of Password-Composition Policies

Published

Author(s)

Serge M. Egelman, Saranga Komanduri, Richard Shay, Patrick G. Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie F. Cranor

Abstract

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., including symbols and numbers) to guide users in creating passwords. Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across five password-composition policies. We statistically characterize the predictability of passwords, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We also correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.
Proceedings Title
CHI '11: Proceedings of the SIGCHI conference on Human Factors in Computing Systems
Conference Dates
May 7-12, 2011
Conference Location
Vancouver
Conference Title
CHI 2011

Keywords

Security, Usability, Passwords, Policy

Citation

Egelman, S. , Komanduri, S. , Shay, R. , Kelley, P. , Mazurek, M. , Bauer, L. , Christin, N. and Cranor, L. (2011), Of Passwords and People: Measuring the Effect of Password-Composition Policies, CHI '11: Proceedings of the SIGCHI conference on Human Factors in Computing Systems, Vancouver, -1, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=907615 (Accessed April 13, 2024)
Created May 11, 2011, Updated February 19, 2017