Impact of restrictive composition policy on user password choices

John Campbell, Wanli Ma, Dale Kleeman

    Research output: Contribution to journalArticlepeer-review

    34 Citations (Scopus)


    This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.
    Original languageEnglish
    Pages (from-to)379-388
    Number of pages10
    JournalBehaviour and Information Technology
    Issue number3
    Publication statusPublished - 2011


    Dive into the research topics of 'Impact of restrictive composition policy on user password choices'. Together they form a unique fingerprint.

    Cite this