Skip to main content

Password-Composition Policies and the Security and Usability of Passwords

Researchers: Lujo Bauer, Nicolas Christin, Lorrie Cranor

Research Area: Privacy Protection

Cross Cutting Thrusts: Usable Privacy and Security


Text-based passwords remain the dominant authentication method in computer systems, despite significant advances in attackers’ capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is little understanding of the practical effects of password-composition policies on the security and usability of passwords -- current best practices are based largely on folklore and educated guesses. In a series of online studies, we have asked over 34,000 users to create and use passwords under controlled conditions. We use data from these studies to (a) improve our understanding of the effects of password-composition policies on password strength and usability, (b) learn about nudging users towards creating more secure, yet usable passwords, and (c) revisit and improve on the metrics and methodology for quantifying password strength.

Outcomes: Recommendations for more secure and usable password policies, better, empirically backed, understanding of factors that affect the usability and security of passwords.