Real Password Composition Policies: Collection, Analysis and Security-Usability Performance of PCPs on the Web

Abstract

This paper is the first to provide quantitative insights into the state of Password Composition Policies currently in use on the internet today. The process of designing and implementing a data collection approach using Mechanical Turk is detailed along with the subsequent data analysis and a novel security and usability performance measurement framework based on understanding PCPs as classifiers of strong and weak passwords. We find that PCPs deployed on the internet are generally of poor quality, either too stringent or too lenient, and that recommendations from government and research are suffering from slow adoption. We also find that all character class PCPs collected in our study suffer from a linear relationship between strong passwords accepted and weak passwords rejected, indicating that they are poor classifiers of password strength.