Encountering Stronger Password Requirements : User Attitudes and Behaviors Categories and Subject Descriptors

Abstract

Text-based passwords are still the most commonly used au- thentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the CarnegieMellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users’ opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were an- noyed by the need to create a complex password, they be- lieve that they are now more secure. Furthermore, we per- form an entropy analysis and discuss how our findings relate to NIST† recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in design- ing better password policies that consider not only technical aspects of specific policy rules, but also users’ behavior in response to those rules.