Revisiting password rules: facilitating human management of passwords | IEEE Conference Publication | IEEE Xplore

Revisiting password rules: facilitating human management of passwords


Abstract:

Password rules were established in the context of past security concerns. Recent work in computer security challenges the conventional wisdom of expert password advice, s...Show More

Abstract:

Password rules were established in the context of past security concerns. Recent work in computer security challenges the conventional wisdom of expert password advice, such as change your passwords often, do not reuse your passwords, or do not write your passwords down. The effectiveness of these rules for protecting user accounts against real world attacks is questioned. We review the latest research examining password rules for general-purpose user authentication on the web, and discuss the arguments behind the continued acceptance or the rejection of the rules based on empirical evidence and solid justifications. Following the review, we recommend an updated set of password rules.
Date of Conference: 01-03 June 2016
Date Added to IEEE Xplore: 09 June 2016
Electronic ISBN:978-1-5090-2922-8
Electronic ISSN: 2159-1245
Conference Location: Toronto, ON, Canada

I. Introduction

Password rules have not kept up with the growing sophistication of computer security threats. The holy grail of password best practices, such as change your passwords often, do not reuse your passwords, or do not write your passwords down, may no longer be practical advice for end-users. A user manages on average 25 password-protected accounts [17] ranging from high-asset (e.g., banks) to low-asset (e.g., news) accounts. Remember strong passwords for all of the accounts exceed human memory capabilities [20], [21]. Users inevitably break password rules to cope with password management.

Contact IEEE to Subscribe

References

References is not available for this document.