Technical and cultural shifts have lead to users living increasingly large swaths of their lives through online accounts. These accounts, brimming with sensitive data, are often protected only through text passwords. In an effort to prevent attackers from guessing their users' passwords, many service providers have implemented password-composition policies that constrain or restrict the space of passwords.
Prior to the work in this thesis, many password-composition policies were the result of heuristic and speculation rather than scientific analysis. Other researchers have examined passwords constructed under uniform or unknown password-composition policies. In this thesis, we conduct online crowdsourced human-subjects testing using randomized, controlled conditions in order to examine and contrast the strength and usability of passwords created under different composition policies. We study a range of policies, including those similar to policies found in the wild, policies that trade usability for security by requiring longer passwords, and policies in which passwords are system-assigned with known security. We provide insight and guidelines for service providers who want to offer password-composition policies that make favorable tradeoffs between security and usability. We also offer researchers a novel methodology for studying password composition policies.
Lorrie Faith Cranor (Chair)
Lujo Bauer (CyLab/ECE)
Nicolas Christin (ECE/CyLab)
Brian LaMacchia (Microsoft)