Measuring the Effect of Pa$$w0rd-Composition Policies on Security and Usability

Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers’ capabilities to perform password cracking. In response to this threat, password-composition policies have become increasingly complex. Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users in response to different policies. We present an analysis of 12,000 passwords collected under seven composition policies via an online study. We (a) investigate the resistance of these passwords to heuristic guessing (using a novel calculation method we develop); (b) correlate our results with user behavior and sentiment to evaluate the burden stronger requirements place on users; (c) investigate the relationship between guessability and the more commonly used metric of entropy; and (d) consider how selection of training and test data affect the evaluation of the various policies.