Of Passwords and People: Measuring the Effect of Password-Composition Policies
Requiring users to set strong passwords shores up one aspect of your network security, but it also may encourage other bad password management practices. This research report details the findings of a survey of 5,000 users who were asked to create passwords in various strength and application scenarios.
Passwords remain one of the most important, and yet most mismanaged, of IT security measures. No matter how many times you tell them not to, users share their passwords with other people, post them on sticky notes next to their monitors, or just set them to be so obvious that hackers can easily guess them.
In this paper, researchers from the National Institute of Standards and Technology and Carnegie Mellon University present their findings from a survey-based study of 5,000 online users who were asked to create passwords based on a variety of composition models and use scenarios. The researchers then go on to evaluate the results by various criteria, including entropy (the number of brute-force guesses it would take to break the password) and where users are likely to store passwords created for various scenarios.
Included in this zip file are:
- Of Passwords and People.pdf
- Intro Doc.pdf
- Terms and Conditions.pdf