Have you ever wondered why some websites use really annoying password policies? Or have you been responsible for designing a password policy for your organization, and been caught between the users’ demands for easy-to-remember passwords and the demand for strong security? It has been long thought that you have to trade between these two.
This paper analyzes a number of password policies--and comes with recommendations that make passwords both easy to remember (and create in the first place) and secure. Interestingly, requiring multiple (three to four) character classes does not make the passwords so secure against guessing, even though it comes at a significant cost in terms of the users’ ability to create and remember such passwords. Length leads users to creating stronger passwords, but long passwords alone can still be easy to guess (“passwordpassword”). At least some safeguards (either via patterns or blacklists of substrings indicative of weak passwords) are required to make such passwords secure (that is, hard to guess).
This paper builds on analysis of publicly available databases of real passwords, as well as on studies conducted by the authors on volunteer subjects. The paper provides robust statistical analyses if you need the evidence to justify a policy you are authoring--and is an interesting and educational read on its own.