Password Policies Adopted by South African Organizations: Influential Factors and Weaknesses

  • Pardon Blessings MaonekeEmail author
  • Stephen Flowerday
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 973)


Organizations worldwide are revisiting the design of their password policies. This is partly motivated by the security and usability limitations of user-generated passwords. While research on password policies has been ongoing, this has taken place in the Global North. Accordingly, little is known about the strengths and weaknesses of password policies deployed in the Global South, especially Africa. As such, this study researched password policies deployed on South African websites. Password policies of thirty frequently visited websites belonging to South African organizations were analyzed. Our observations show diverse password requirements. Even though the desire for strong passwords is the dominant motivator of complex password policies, South African organizations often adopt obsolete measures for attaining password security. The ten most common passwords in the literature were considered acceptable on most sites. In addition, some sites did not explicitly display password requirements and only a few sites adopted measures for providing real-time feedback and effective guidance during password generation.


Password Password usability Password security Password policy Password strength meter 


  1. 1.
    Florêncio, D., Herley, C.: Where do security policies come from? In: Proceedings of a Symposium on Usable Privacy and Security (SOUPS), pp. 1–14. ACM, Redmond (2010)Google Scholar
  2. 2.
    Grassi, P.A., Garcia, M.E., Fenton, J.L.: Digital Identity Guidelines. NIST Special Publication 800-63-3, pp. 1–62. NIST (2017)Google Scholar
  3. 3.
    Wang, D., Wang, P.: The emperor’s new password creation policies: In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 456–477. Springer, Cham (2015). Scholar
  4. 4.
    de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS, vol. 14, pp. 23–26 (2014)Google Scholar
  5. 5.
    AlFayyadh, B., Thorsheim, P., Jøsang, A., Klevjer, H.: Improving usability of password management with standardized password policies. In: Proceedings of the Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 7983–7999. Kolkata, India (2012)Google Scholar
  6. 6.
    Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 391–405. IEEE, Washington (2009)Google Scholar
  7. 7.
    Wheeler, D.L.: zxcvbn: Low-Budget Password Strength Estimation. In: Proceedings of the 25th USENIX Security Symposium. pp. 157–173. USENIX Association, Austin (2016)Google Scholar
  8. 8.
    Shay, R., et al.: A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of the Human Computer Interaction (HCI) Conference, pp. 2903–2912. ACM, Seoul (2015)Google Scholar
  9. 9.
    Furnell, S.: Password practices on leading websites – revisited. Comput. Fraud Secur. 12, 5–11 (2014)CrossRefGoogle Scholar
  10. 10.
    Furnell, S., Khern-am-nuai, W., Esmael, R., Yang, W., Li, N.: Enhancing security behaviour by supporting the user. Comput. Secur. 75, 1–9 (2018)CrossRefGoogle Scholar
  11. 11.
    Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of USENIX Security Symposium, pp. 65–80. USENIX, Bellevue (2012)Google Scholar
  12. 12.
    Yang, C., Hung, J.-L., Lin, Z.: An analysis view on password patterns of chinese internet users. Nankai Bus. Rev. Int. 4, 66–77 (2013)CrossRefGoogle Scholar
  13. 13.
    Wang, D., Cheng, H., Gu, Q., Wang, P.: Understanding Passwords of Chinese Users: Characteristics, Security and Implications. CACR Report, China (2015)Google Scholar
  14. 14.
    Vance, A., Eargle, D., Ouimet, K., Straub, D.: Enhancing password security through interactive fear appeals: a web-based field experiment. In: Proceedings of the 46th Hawaii International Conference on System Sciences, pp. 2988–2997. IEEE, Wailea (2013)Google Scholar
  15. 15.
    Furnell, S., Esmael, R.: Evaluating the effect of guidance and feedback upon password compliance. Comput. Fraud Secur. 1, 5–10 (2017)Google Scholar
  16. 16.
    Althubaiti, S., Petrie, H.: Instructions for creating passwords: how do they help in password creation. In: Proceedings of the 31st British Computer Society Human Computer Interaction Conference, pp. 55–65. BCS Learning & Development Ltd, Sunderland (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Namibia University of Science and TechnologyWindhoekNamibia
  2. 2.Rhodes UniversityGrahamstownSouth Africa

Personalised recommendations