Research Area: Privacy Protection
Cross Cutting Thrusts: Usable Privacy and Security
Text-based passwords remain the dominant authentication method in computer systems, despite signiﬁcant advances in attackers’ capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is little understanding of the practical effects of password-composition policies on the security and usability of passwords -- current best practices are based largely on folklore and educated guesses. In a series of online studies, we have asked over 34,000 users to create and use passwords under controlled conditions. We use data from these studies to (a) improve our understanding of the effects of password-composition policies on password strength and usability, (b) learn about nudging users towards creating more secure, yet usable passwords, and (c) revisit and improve on the metrics and methodology for quantifying password strength.
Outcomes: Recommendations for more secure and usable password policies, better, empirically backed, understanding of factors that affect the usability and security of passwords.