Password Composition Policy: Does Enforcement Lead to Better Password Choices?

John Campbell, Dale Kleeman, Wanli Ma

    Research output: A Conference proceeding or a Chapter in BookConference contributionpeer-review

    9 Citations (Scopus)
    83 Downloads (Pure)

    Abstract

    The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.
    Original languageEnglish
    Title of host publicationProceedings of the 17th Australasian Conference on Information Systems
    EditorsS Spencer, A Jenkins
    Place of PublicationSouth Australia
    PublisherAssociation for Information Systems
    Pages1-8
    Number of pages8
    ISBN (Print)9780075841716
    Publication statusPublished - 2006
    EventAustralasian Conference on Information Systems (ACIS2006) - Adelaide, Australia
    Duration: 6 Dec 20068 Dec 2006

    Conference

    ConferenceAustralasian Conference on Information Systems (ACIS2006)
    Country/TerritoryAustralia
    CityAdelaide
    Period6/12/068/12/06

    Cite this