Abstract
Password policies – documents which regulate how users must create and manage their passwords – can have complex and unforeseen consequences on organizational security. Since these policies attempt to govern user behavior, users must be clear as to what is expected of them for a policy to be effective. While a culprit of misinterpretation, policy ambiguity also prevents researchers from comparing and contrasting policy statements. To tackle ambiguity, we developed a formal language for stating what behavior is and is not allowed when creating, managing, and changing passwords. This formal language lends itself to policy analysis and visualization. A corpus of 41 password policies was translated into the formal language and analyzed. Having these clear, unambiguous policy statements enables us to explore password policies in much greater detail, discuss the relative merits of different statements, compare and contrast policies, and begin to examine the interplay between usability and security in password policies.
The rights of this work are transferred to the extent transferable according to title 17 U.S.C. 105.
Chapter PDF
Similar content being viewed by others
References
Adams, A., Sasse, M.A.: Users are not the enemy. Communcations of the ACM 42(12), 41–46 (1999)
Bonneau, J., Preibusch, S.: The password thicket: Technical and market failures in human authentication on the web. In: 9th Workshop on the Economics of Information Security (WEIS 2010), Cambridge, MA, June 7-8 (2010), http://weis2010.econinfosec.org/papers/session3/weis2010_bonneau.pdf (accessed January 2014)
Cheswick, B.: Rethinking passwords, Baltimore, MD. Presentation at the Solaris Security Summit (2014), http://www.cheswick.com/ches/talks/baltimore.pdf (accessed January 2014)
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: An empirical analysis. In: Proceedings of 29th IEEE Conference on Computer Communication (INFOCOM 2010), Mar 14-19, pp. 1–9. IEEE Press, San Diego (2010)
Farrell, S.: Password policy purgatory. IEEE Internet Computing 12(5), 84–87 (2008)
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International World Wide Web Conference (WWW 2007), Banff, Alberta, May 8-12, pp. 657–666 (2007)
Florêncio, D., Herley, C.: Where do security policies come from? In. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS 2010), Redmond, WA, July 14-16. ACM Press, New York (2010)
Furnell, S.: An assessment of website password practices. Computers & Security 26, 445–451 (2007)
Philip, G.: Inglesant and M. Angela Sasse. The true cost of unusable password policies: Password use in the wild. In: Proceedings of the 28th International Conference on Human Factors in Computer Systems, Atlanta, GA, April 10-15, pp. 383–392. ACM Press, New York (2010)
Johnson, M., Karat, J., Karat, K.-M., Grueneberg, K.: Optimizing a policy authoring framework for security and privacy policies. In: Proceedings of the 6th Symposium on Usable Privacy and Security (SOUPS 2010), Redmond, WA, July 14-16, ACM Press, New York (2010)
Killourhy, K., Choong, Y.-Y., Theofanos, M.: Taxonomic rules for password policies: translating the informal to the formal language. National Institute of Standards and Technology, Gaithersburg, Maryland, NISTIR 7970 (December 2013)
Klein, D.V.: Foiling the cracker; a survey of, and improvements to unix password security. In: Proceedings of the 2nd USENIX Security Symposium, Portland, OR, August 27-28, pp. 5–14. USENIX (1990)
Mannan, M., Oorschot, P.C.V.: Security and usability: The gap in real-world online banking. In: Proceedings of the New Security Paradigms Workshop (NSPW 2007), North Conway, NH, September 18-21, pp. 1–14. ACM Press, New York (2007)
Morris, R., Thompson, K.: Password security: A case history. Communications of the ACM 22(11), 594–597 (1979)
Parkin, S.E., van Moorsel, A., Coles, R.: An information security ontology incorporating human-behavioural implications. In: Proceedings of the 2nd International Conference on Security of Information and Networks (SIN 2009), Famagusta, North Cyprus, October 6-10, pp. 46–55. ACM Press, New York (2009)
SANS Institute. SANS password policy (2006), http://www.sans.org/security-resources/policies/Password_Policy.pdf (accessed January 2014)
Shay, R.J.K., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: Proceedings of the ACM Workshop on Digital Identity Management, Fairfax, VA, pp. 1–10. ACM Press, New York (November 2, 2007)
Spafford, G.: Security myths and passwords (2006), http://www.cerias.purdue.edu/site/blog/post/password-change-myths/ (accessed January 2014)
Wayne, C.: Summers and Edward Bosworth. Password policy: The good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, January 5-8, pp. 1–6. Trinity College, Dublin (2004)
Wu, T.: A real-world analysis of Kerberos password security. In: Proceedings of the ISOC Symposium on Network and Distributed System Security (NDSS 1999), San Diego, CA. Internet Society (1999)
Xu, W., Shehab, M., Ahn, G.-J.: Visualization based policy analysis: Case study in SELinux. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT 2008), Estes Park, Colorado, June 11–13, pp. 165–174 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Steves, M., Killourhy, K., Theofanos, M.F. (2014). Clear, Unambiguous Password Policies: An Oxymoron?. In: Rau, P.L.P. (eds) Cross-Cultural Design. CCD 2014. Lecture Notes in Computer Science, vol 8528. Springer, Cham. https://doi.org/10.1007/978-3-319-07308-8_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-07308-8_24
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07307-1
Online ISBN: 978-3-319-07308-8
eBook Packages: Computer ScienceComputer Science (R0)