IT's natural instinct for managing passwords in the enterprise is to make them as abstract as possible. After all, even the most novice hacker can guess that a user might use their last name or a published phone number as a password. Forcing users to use a composite of numbers and letters seems like a no-brainer when it comes to what is inherently a fragile security mechanism.
However, many IT shops don't consider the behavioral implications that password policies have on users, who are are always the weakest link in network security. Consider this: If you make a password really difficult for a hacker to guess, you are also making it really hard for a user to remember. And that can lead to a world of problems.
Researchers at Carnegie Mellon University and the National Institute of Standards and Technology examine the relationship between password complexity and user behavior in their article, Of Passwords and People: Measuring the Effect of Password-Composition Policies. The research is available free to IT Business Edge members here in the IT Downloads library.
The article starts off by noting that the topic of user behavior and password complexity has been scantly researched, adding that most info you are likely to find has been based on anecdotal or closed lab research. For their project, they employed more than 5,000 test subjects recruited through Amazon's Mechanical Turk sourcing service to create a random sampling of typical user behavior.
The basic research approach was to send users to a page and ask them to create passwords based on typical composition policies:
basic8: Passwords must have at least eight characters, of any type.
basic16: Passwords must have at least 16 characters, of any type.
dictionary8: Passwords must have at least 8 characters, and may not contain a dictionary word. A simple lookup is executed to check for such easy-to-guess strings.
comprehensive8: Passwords must have at least 8 characters, including an uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word.
The researchers then e-mailed the users a couple of days later and asked them to recall the password they had set. Demographic info and use scenario (suggesting that the password would be protecting either survey results or a personal email account) were used to round out the password strength and behavioral analysis.
One of the more interesting findings of the study was that more complex passwords do, in fact, tend to be stored by users in profoundly insecure ways, as you can see in the chart below:
Forcing users to use a composite of symbols and letters resulted in them being substantially more likely to store their passwords on paper, which of course greatly increases the risk of internal mischief or social engineering attacks. Users seemed to be cognizant of not storing their passwords electronically, which opens the door to network-based snooping or cracks on Web services.
Of course, IT must balance this phenomenon against the upside of having passwords that are hardened against attack. Tomorrow, we will look at the researchers' findings on how password composition policies and use scenario affect the entropy, or susceptibility to brute force attack, of your users' passwords.