I. Introduction
Password rules have not kept up with the growing sophistication of computer security threats. The holy grail of password best practices, such as change your passwords often, do not reuse your passwords, or do not write your passwords down, may no longer be practical advice for end-users. A user manages on average 25 password-protected accounts [17] ranging from high-asset (e.g., banks) to low-asset (e.g., news) accounts. Remember strong passwords for all of the accounts exceed human memory capabilities [20], [21]. Users inevitably break password rules to cope with password management.