Complex password policies aren't always the key to password security
New research offers insights on how users react to increasingly complex password policies and whether these rules compromise password security.
It is often recommended that an increasingly complex combination of special characters, numbers, upper- and lower-case letters, and more, make passwords less likely to be compromised by social engineering attacks. This has resulted in organisations worldwide adopting and accepting such regulations. However, the truth is, these measures are typically too extreme and often leave users frustrated, leading to poor password management.
To further investigate this issue, a team led by Associate Professor Roberto Dillon – Academic Head of Science and Technology, and Associate Professor of Information Technology at James Cook University (JCU) in Singapore – conducted a survey where users were asked to create a password following an increasing number of restrictions. These restrictions ranged from “Password must contain at least 8 characters” to “Password must be different from the latest five passwords”. Participants were also asked if they used any strategies to remember their passwords, as well as the situations where they would be tempted to use those strategies.
Other members of the team include Dr Shailey Chawla, Lecturer in Information Technology at James Cook University, and an interdisciplinary team of PhD candidates from the University of Vienna comprising of Ms Barbara Göbl, Ms Dayana Hristova and Ms Suzana Jovicic.
Through the study, analysis confirms that the tougher the constraints of creating the passwords, the safer users feel with their information. However, the results also show that a large number of password restrictions can frustrate users.
Associate Professor Dillon says, “Our analysis reveals that obliging users to comply with an increasing number of rules introduced frustration fostering a sense that the number of restrictions was too high. This perception got more pronounced upon adding a fourth restriction (requiring at least one special character) although this restriction increased password security most significantly in our specific progression. The further added restrictions increased the perception of difficulty whilst, according to our analysis, not increasing the time in which the password could be compromised using a brute force approach.”
He adds, “Three fourths of our participants also reported that they devise various strategies to remember their passwords including some practice compromising password security. The most popular strategy was “using the same password for multiple sites” – which aligns with our participants rating the restriction against using old passwords as most difficult. The majority of participants reported using their strategies always, when there are too many passwords to remember or if they don’t log in with the password often.”
While measures such as password managers and two-factor authentication protocols offer solutions to password management and securing privacy, they still suffer from usability issues and demonstrate inconvenience to users.
To ease password management, the study suggests that it is more appropriate to require users to create a long but meaningful passphrase. This is easy to remember and long enough to hinder brute force attacks. At the same time, providers should avoid adding several restrictions as it makes it more likely for users to resort to workarounds that potentially compromise security.
R. Dillon, S. Chawla, D. Hristova, B. Göbl and S. Jovicic, "Password Policies vs. Usability: When Do Users Go "Bananas"?," 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020, pp. 148-153, doi: 10.1109/TrustCom50675.2020.00032.
Discover further information on areas of research and research strength at James Cook University in Singapore.