Password Policies Adopted by South African Organizations: Influential Factors and Weaknesses

Abstract

Organizations worldwide are revisiting the design of their password policies. This is partly motivated by the security and usability limitations of user-generated passwords. While research on password policies has been ongoing, this has taken place in the Global North. Accordingly, little is known about the strengths and weaknesses of password policies deployed in the Global South, especially Africa. As such, this study researched password policies deployed on South African websites. Password policies of thirty frequently visited websites belonging to South African organizations were analyzed. Our observations show diverse password requirements. Even though the desire for strong passwords is the dominant motivator of complex password policies, South African organizations often adopt obsolete measures for attaining password security. The ten most common passwords in the literature were considered acceptable on most sites. In addition, some sites did not explicitly display password requirements and only a few sites adopted measures for providing real-time feedback and effective guidance during password generation.