A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016

Authors: 

Peter Mayer and Jan Kirchner, Technische Universität Darmstadt; Melanie Volkamer, Technische Universität Darmstadt, Karlstad University

Abstract: 

In this paper we present a replication and extension of the study performed by Florêncio and Herley published at SOUPS 2010. They investigated a sample of US websites, examining different website features' effects on the strength of the website's password composition policy (PCP). Using the same methodology as in the original study, we re-investigated the same US websites to identify differences over time. We then extended the initial study by investigating a corresponding sample of German websites in order to identify differences across countries. Our findings indicate that while the website features mostly retain their predicting power for the US sample, only one feature affecting PCP strength translates to the German sample: whether users can choose among multiple alternative websites providing the same service. Moreover, German websites generally use weaker PCPs and, in particular, PCPs of German banking websites stand out for having generally low strength PCPs.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Audio

BibTeX
@inproceedings {205136,
author = {Peter Mayer and Jan Kirchner and Melanie Volkamer},
title = {A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016},
booktitle = {Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017)},
year = {2017},
isbn = {978-1-931971-39-3},
address = {Santa Clara, CA},
pages = {13--28},
url = {https://www.usenix.org/conference/soups2017/technical-sessions/presentation/mayer},
publisher = {{USENIX} Association},
}