Impact of restrictive composition policy on user password choices

John Campbell, Wanli Ma, Dale Kleeman

    Research output: Contribution to journalArticle

    21 Citations (Scopus)

    Abstract

    This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.
    Original languageEnglish
    Pages (from-to)379-388
    Number of pages10
    JournalBehaviour and Information Technology
    Volume30
    Issue number3
    DOIs
    Publication statusPublished - 2011

    Fingerprint

    Chemical analysis
    Practice Management
    Recycling
    Information Systems
    Names
    recycling
    Glossaries
    Access control
    Parturition
    dictionary
    Authentication
    information system
    Information systems
    regime
    Research
    management
    resources
    Resources
    Dictionary
    Efficacy

    Cite this

    @article{3e0ad0bb708c4562bc3004f5ce41d352,
    title = "Impact of restrictive composition policy on user password choices",
    abstract = "This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.",
    keywords = "password authentication, password composition policy, computer security",
    author = "John Campbell and Wanli Ma and Dale Kleeman",
    year = "2011",
    doi = "10.1080/0144929X.2010.492876",
    language = "English",
    volume = "30",
    pages = "379--388",
    journal = "Behaviour and Information Technology",
    issn = "0144-929X",
    publisher = "Taylor and Francis Ltd.",
    number = "3",

    }

    Impact of restrictive composition policy on user password choices. / Campbell, John; Ma, Wanli; Kleeman, Dale.

    In: Behaviour and Information Technology, Vol. 30, No. 3, 2011, p. 379-388.

    Research output: Contribution to journalArticle

    TY - JOUR

    T1 - Impact of restrictive composition policy on user password choices

    AU - Campbell, John

    AU - Ma, Wanli

    AU - Kleeman, Dale

    PY - 2011

    Y1 - 2011

    N2 - This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.

    AB - This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.

    KW - password authentication

    KW - password composition policy

    KW - computer security

    U2 - 10.1080/0144929X.2010.492876

    DO - 10.1080/0144929X.2010.492876

    M3 - Article

    VL - 30

    SP - 379

    EP - 388

    JO - Behaviour and Information Technology

    JF - Behaviour and Information Technology

    SN - 0144-929X

    IS - 3

    ER -