NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Communications of the ACM
Case Study: Online Banking Security
IEEE Security and Privacy
Password management strategies for online accounts
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
On countering online dictionary attacks with login histories and humans-in-the-loop
ACM Transactions on Information and System Security (TISSEC)
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
An inquiry into the nature and causes of the wealth of internet miscreants
Proceedings of the 14th ACM conference on Computer and communications security
Do strong web passwords accomplish anything?
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
IEEE Security and Privacy
The compliance budget: managing security behaviour in organisations
Proceedings of the 2008 workshop on New security paradigms
A profitless endeavor: phishing as tragedy of the commons
Proceedings of the 2008 workshop on New security paradigms
Security and usability: the gap in real-world online banking
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Passwords: If We're So Smart, Why Are We Still Using Them?
Financial Cryptography and Data Security
THE WAY I SEE IT: When security gets in the way
interactions - Catalyzing a Perfect Storm
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
The true cost of unusable password policies: password use in the wild
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Password exhaustion: predicting the end of password usefulness
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Facing the facts about image type in recognition-based graphical passwords
Proceedings of the 27th Annual Computer Security Applications Conference
SP'11 Proceedings of the 19th international conference on Security Protocols
Rational security: Modelling everyday password use
International Journal of Human-Computer Studies
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Do you see your password?: applying recognition to textual passwords
Proceedings of the Eighth Symposium on Usable Privacy and Security
Communications of the ACM
Queue - Performance
Optimizing password composition policies
Proceedings of the fourteenth ACM conference on Electronic commerce
Memory retrieval and graphical passwords
Proceedings of the Ninth Symposium on Usable Privacy and Security
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Hi-index | 0.02 |
We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.