Of Passwords and People: Measuring the Effect of Password-Composition Policies
Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. The authors present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies.