Password Composition Policy: Does Enforcement Lead to Better Password Choices?

John Campbell, Dale Kleeman, Wanli Ma

    Research output: A Conference proceeding or a Chapter in BookConference contribution

    6 Citations (Scopus)
    1 Downloads (Pure)

    Abstract

    The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.
    Original languageEnglish
    Title of host publicationProceedings of the 17th Australasian Conference on Information Systems
    EditorsS Spencer, A Jenkins
    Place of PublicationSouth Australia
    PublisherAssociation for Information Systems
    Pages1-8
    Number of pages8
    ISBN (Print)9780075841716
    Publication statusPublished - 2006
    EventAustralasian Conference on Information Systems (ACIS2006) - Adelaide, Australia
    Duration: 6 Dec 20068 Dec 2006

    Conference

    ConferenceAustralasian Conference on Information Systems (ACIS2006)
    CountryAustralia
    CityAdelaide
    Period6/12/068/12/06

    Fingerprint

    Chemical analysis
    Glossaries
    Access control
    Authentication
    Information systems

    Cite this

    Campbell, J., Kleeman, D., & Ma, W. (2006). Password Composition Policy: Does Enforcement Lead to Better Password Choices? In S. Spencer, & A. Jenkins (Eds.), Proceedings of the 17th Australasian Conference on Information Systems (pp. 1-8). South Australia: Association for Information Systems.
    Campbell, John ; Kleeman, Dale ; Ma, Wanli. / Password Composition Policy: Does Enforcement Lead to Better Password Choices?. Proceedings of the 17th Australasian Conference on Information Systems. editor / S Spencer ; A Jenkins. South Australia : Association for Information Systems, 2006. pp. 1-8
    @inproceedings{36ace392ee314bbbb99dc875544e7f2d,
    title = "Password Composition Policy: Does Enforcement Lead to Better Password Choices?",
    abstract = "The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.",
    author = "John Campbell and Dale Kleeman and Wanli Ma",
    year = "2006",
    language = "English",
    isbn = "9780075841716",
    pages = "1--8",
    editor = "S Spencer and A Jenkins",
    booktitle = "Proceedings of the 17th Australasian Conference on Information Systems",
    publisher = "Association for Information Systems",
    address = "United States",

    }

    Campbell, J, Kleeman, D & Ma, W 2006, Password Composition Policy: Does Enforcement Lead to Better Password Choices? in S Spencer & A Jenkins (eds), Proceedings of the 17th Australasian Conference on Information Systems. Association for Information Systems, South Australia, pp. 1-8, Australasian Conference on Information Systems (ACIS2006), Adelaide, Australia, 6/12/06.

    Password Composition Policy: Does Enforcement Lead to Better Password Choices? / Campbell, John; Kleeman, Dale; Ma, Wanli.

    Proceedings of the 17th Australasian Conference on Information Systems. ed. / S Spencer; A Jenkins. South Australia : Association for Information Systems, 2006. p. 1-8.

    Research output: A Conference proceeding or a Chapter in BookConference contribution

    TY - GEN

    T1 - Password Composition Policy: Does Enforcement Lead to Better Password Choices?

    AU - Campbell, John

    AU - Kleeman, Dale

    AU - Ma, Wanli

    PY - 2006

    Y1 - 2006

    N2 - The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.

    AB - The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.

    M3 - Conference contribution

    SN - 9780075841716

    SP - 1

    EP - 8

    BT - Proceedings of the 17th Australasian Conference on Information Systems

    A2 - Spencer, S

    A2 - Jenkins, A

    PB - Association for Information Systems

    CY - South Australia

    ER -

    Campbell J, Kleeman D, Ma W. Password Composition Policy: Does Enforcement Lead to Better Password Choices? In Spencer S, Jenkins A, editors, Proceedings of the 17th Australasian Conference on Information Systems. South Australia: Association for Information Systems. 2006. p. 1-8