7.2. Existing Advice on Password SelectionAdams and Sasse[8] note that users are not enemies of security, but collaborators who need appropriate information to help maintain system security. They observe that users, when not told how to choose good passwords, make up rules for password generation, resulting in insecure passwords. They therefore recommend that organizations "provide instruction and training on how to construct usable and secure passwords."
Later research by Sasse, Brostoff, and Weirich, based on a survey of system users, found that 90% of them had difficulty with standard password mechanisms and that they welcomed advice on password generation.[9] The authors conclude that, "instructions for constructing and memorizing a strong password...should be available when a password needs to be chosen or changed."
Many large organizations do give specific advice to new users about how to select a "good password." A good password, in terms of the preceding discussion, should aim to be reasonably long, use a reasonably large character set, but still be easy to remember. There are some subtleties about whether the attacker is going to try many passwords over a network or whether she has obtained a copy of the password file and is cracking it offline, but we propose to ignore these for the purposes of the present study. We made an informal survey of advice given to new users at large sites by searching on the Web for the terms "choose," "good," and "password." Many sites did not recognize the importance of memorability, merely emphasizing resistance to brute force search. Some typical pieces of advice were: One recommendation that seems increasingly popular is the "passphrase" approach to password generation. A typical description of this is as follows: Of course this informal survey does not include sites where no advice at all is given on password selection. We believe that many sites simply tell new users the minimum requirement for a valid password (length and character set), and give no further advice regarding security or memorability. Others, in our experience, enforce rules such as:
The usual response of users to such rules appears to be to devise a personal password generation system of which a simple example is "Juliet03" for March, "Juliet04" for April, and so on. In our own study described in this chapter, we did not include advice of this kind, so we are unable to offer additional empirical evidence. Nevertheless, we believe that this policy is clearly weak. Other attempts to compel user behavior have backfired. For example, Patterson reports that when users were compelled to change their passwords and were prevented from using the previous few choices, they changed passwords rapidly to exhaust the history list and then returned to their favorite password. A response, of forbidding password changes until after 15 days, meant that users couldn't change possible compromised passwords without help from the system administrator.[10] Once again, this proves Adams and Sasse's finding that users will circumvent restrictions that they find tedious.
So, the design of the advice given to users, and of the system-level enforcement that may complement this, is an important problem. It involves subtle questions of applied psychology to which the answers are not obvious. The existing literature on password selection and memorability is surprisingly sparse. Grampp and Morris's classic paper on Unix security reports that after software became available, forcing passwords to be at least six characters long and have at least one non-letter, they made a file of the 20 most common female names, each followed by a single digit. Of these 200 passwords, at least one was in use on each of several dozen machines they examined.[11] Klein records collecting 13,797 password file entries from Unix systems and attacking them by exhaustive search; about one-quarter of them were cracked.[12] Password management guidelines from the U.S. Department of Defense[13] recommended the use of machine-generated random passwords.
Zviran and Haga[14] conducted an experiment in which they asked 106 students to choose passwords, writing them on a questionnaire. The questionnaires also assigned a random password to each student, and they were asked to remember both. Three months later, they found the following results:
However, the students were not actually using the password during the intervening three months. So, although this provides a quantitative point of reference for the difficulty of random passwords, it does not closely model a real operational environment. As previously noted, Adams and Sasse[15], and Sasse, Brostoff, and Weirich[16] report the results of studies in which system users were surveyed and asked to report their experiences with password usage. They discussed memorability issues and concluded that users should be instructed to construct secure and memorable passwords. However, they did not, as commented by Abrahams,[17] put much effort into identifying "specific, positive advice" on how to "compose passwords that are both easy to remember and difficult to crack."
|