To combat both the inherent and user-induced weaknesses of text-based passwords, administrators and organizations typically institute a series of rules—a password policy—to which users must adhere when choosing a password. While a properly written password policy might provide an organization with increased security, it is unclear just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. In addition, some password policies, while resulting in stronger passwords, may make those passwords difficult to remember or type. This may cause users to forget their passwords or to engage in a variety of behaviors that might compromise the security of passwords. We seek to advance understanding of the factors that make following password policies difficult, to collect empirical data on password strength and memorability under various password policies, and to propose password policy guidelines to simultaneously maximize security and usability of passwords. To that end, our research group has conducted a series of online studies in which we asked tens of thousands of people to create passwords that comply with specific password policies. We developed an efficient method for calculating how effectively several password-guessing algorithms guess passwords and used it to analyze leaked password sets, passwords created for our studies, and the single-sign-on passwords used by over 25,000 faculty, staff, and students at our university. We investigated a variety of password policies, including those with requirements on length and character classes, as well as exclusion of blacklisted words. We also investigated system-assigned passphrases and the impact of various password meter designs on password security and usability. In this talk, I will describe our password research study methodology and highlight some of our most interesting findings. Our password research papers are available at http://cups.cs.cmu.edu/passwords.html.
Reception to follow in room 301 CSL.
Lorrie Faith Cranor is an Associate Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University, where she is director of the CyLab Usable Privacy and Security Laboratory (CUPS) and co-director of the MSIT-Privacy Engineering Master’s program. She is also a co-founder of Wombat Security Technologies, Inc. She has authored over 100 research papers on online privacy, usable security, phishing, spam, electronic voting, anonymous publishing, and other topics. She has played a key role in building the usable privacy and security research community, having co-edited the seminal book Security and Usability (O’Reilly, 2005) and founded the Symposium On Usable Privacy and Security (SOUPS). She also chaired the Platform for Privacy Preferences Project (P3P) Specification Working Group at the W3C and authored the book Web Privacy with P3P (O’Reilly, 2002). She has served on a number of boards, including the Electronic Frontier Foundation Board of Directors, and on the editorial boards of several journals. In 2003, she was named one of the top 100 innovators 35 or younger by Technology Review magazine. She was previously a researcher at AT&T Labs Research and taught in the Stern School of Business at New York University.