skip to main content
10.1145/1837110.1837124acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
research-article

Where do security policies come from?

Published: 14 July 2010 Publication History

Abstract

We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.

References

[1]
http://www.internetworldstats.com.
[2]
http://www.worldmapper.org/display.php?selected=336.
[3]
http://www.openwall.com/john/.
[4]
Regulation E of the Federal Reserve Board. http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=0283a311c8b13f29f284816d4dc5aeb7&rgn=div9&view=text&node=12:2.0.1.1.6.0.3.19.14&idno=12.
[5]
The Fidelity Customer Protection Guarantee. http://personal.fidelity.com/accounts/services/findanswer/content/security.shtml.cvsr?refpr=custopq11.
[6]
Wells Fargo: Online Security Guarantee. https://www.wellsfargo.com/privacy_security/online/guarantee.
[7]
Wired: Weak Password Brings 'Happiness' to Twitter Hacker. http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html.
[8]
Department of Defense Password Management Guideline. Technical Report CSC-STD-002-85, U.S. Dept. of Defense, Computer Security Center, 1985.
[9]
A. Acquisti and R. Gross. Predicting Social Security Numbers from Public Data. Proc. Natl. Acad. Science, 2009.
[10]
A. Beautement, M. A. Sasse and M. Wonham. The Compliance Budget: Managing Security Behaviour in Organisations. NSPW, 2008.
[11]
A. Adams and M. A. Sasse. Users Are Not the Enemy. Commun. ACM, 42(12), 1999.
[12]
Avira TechBlog. The Most Phished Brands of 2009. http://techblog.avira.com/2009/12/19/the-most-phished-brands-of-2009/en/.
[13]
C. Herley, P. C. van Oorschot and A. S. Patrick. Passwords: If We're So Smart Why Are We Still Using Them? Proc. Financial Crypto 2009.
[14]
D. A. Norman. The Way I See It: When security gets in the way. Interactions, 16(6):60--63, 2009.
[15]
E. Zwicky. Brute Force and Ignorance.; login, April 2010.
[16]
E. H. Spafford. Security Myths and Passwords. http://www.cerias.purdue.edu/site/blog/post/password-change-myths/.
[17]
Federal Financial Institutions Examination Council. Top 50 Bank Holding Companies 2009. http://www.ffiec.gov/nicpubweb/nicweb/Top50form.aspx.
[18]
D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. WWW 2007, Banff.
[19]
D. Florêncio and C. Herley. Stopping Phishing Attacks Even when the Victims Ignore Warnings. MSR Tech. Report, 2005.
[20]
D. Florêncio and C. Herley. KLASSP: Entering Passwords on a Spyware Infected Machine. ACSAC, 2006.
[21]
D. Florêncio, C. Herley, and B. Coskun. Do Strong Web Passwords Accomplish Anything? Proc. Usenix Hot Topics in Security, 2007.
[22]
N. Haller. The S/KEY One-Time Password System. Proc. ISOC Symposium on Network and Distributed System Security, 1994.
[23]
C. Herley. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. NSPW 2009, Oxford.
[24]
C. Herley and D. Florêncio. A Profitless Endeavor: Phishing as Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA.
[25]
C. Herley and D. Florêncio. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. WEIS 2009, London.
[26]
K. Hole, V. Moen, and T. Tjostheim. Case Study: Online Banking Security. In IEEE Security and Privacy, pages 14--20, 2006.
[27]
I. Jermyn and A. Mayer and F. Monrose and M. K. Reiter and A. D. Rubin. The Design and Analysis of Graphical Passwords. In Usenix Security, 1999.
[28]
Imperva. Consumer Password Worst Practices.
[29]
J. Bonneau and S. Preibusch. The Password Thicket: technical and Market Failures in Human Authentication on the Web. WEIS, 2010.
[30]
J. Franklin and V. Paxson and A. Perrig and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proc. CCS, 2007.
[31]
K. J. Hole and V. Moen and T. Tjostheim. Case Study: Online banking Security. IEEE Security & Privacy Magazine, 2006.
[32]
L. St. Clair and L. Johansen and W. Enck and M. Pirretti and P. Traynor and P. McDaniel and T. Jaeger. Password Exhaustion: Predicting the End of Password Usefulness. In Proc. of 2nd Intl Conf. on Information Systems Security (ICISS), 2006.
[33]
M. Mannan and P. C. van Oorschot. Security and Usability: The Gap in Real-World Online Banking. NSPW, 2007.
[34]
M. A. Sasse, S. Brostoff and D. Weirich. Transforming the "weakest link": a human-computer interaction approach to usable and effective security. In BT Technology Journal, 2001.
[35]
M. E. Zurko and R. T. Simon. User-Centered Security. NSPW, 1996.
[36]
P. Oechslin. Making a faster crytanalytical time-memory trade-off. Advances in Cryptology - CRYPTO 2003, 2003.
[37]
P. Inglesant and M. A. Sasse. The True Cost of Unusable Password Policies: Password use in the Wild. CHI, 2010.
[38]
P. C. van Oorschot, S. Stubblebine. On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. ACM TISSEC vol. 9 issue 3, 2006.
[39]
R. Thomas and J. Martin. The Underground Economy: Priceless. Usenix; login:, 2006.
[40]
S. Bellovin. Security by Checklist. IEEE Security & Privacy Mag., 2008.
[41]
S. Gaw and E. W. Felten. Password Management Strategies for Online Accounts. Proc. SOUPS.
[42]
W. E. Burr, D. F. Dodson W. T. Polk. Electronic Authentication Guideline. In NIST Special Publication 800-63, 2006. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf.

Cited By

View all
  • (2024)Review on Proposal of a Password Manager, satisfying security and Usability through “Key-Master”International Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24NOV975(585-590)Online publication date: 23-Nov-2024
  • (2024)Ru-PCFG: Password Guessing Model Combining PCFG and Word Transformation2024 4th International Conference on Electronic Information Engineering and Computer (EIECT)10.1109/EIECT64462.2024.10866533(365-372)Online publication date: 15-Nov-2024
  • (2024)How memory anxiety can influence password security behaviorComputers and Security10.1016/j.cose.2023.103589137:COnline publication date: 1-Feb-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security
July 2010
236 pages
ISBN:9781450302647
DOI:10.1145/1837110

Sponsors

  • Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

SOUPS '10
Sponsor:
  • Carnegie Mellon University
SOUPS '10: Symposium on Usable Privacy and Security
July 14 - 16, 2010
Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)118
  • Downloads (Last 6 weeks)25
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Review on Proposal of a Password Manager, satisfying security and Usability through “Key-Master”International Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24NOV975(585-590)Online publication date: 23-Nov-2024
  • (2024)Ru-PCFG: Password Guessing Model Combining PCFG and Word Transformation2024 4th International Conference on Electronic Information Engineering and Computer (EIECT)10.1109/EIECT64462.2024.10866533(365-372)Online publication date: 15-Nov-2024
  • (2024)How memory anxiety can influence password security behaviorComputers and Security10.1016/j.cose.2023.103589137:COnline publication date: 1-Feb-2024
  • (2024)The perils of cybersecurity regulationThe Review of Austrian Economics10.1007/s11138-024-00660-4Online publication date: 2-Oct-2024
  • (2023)Reviewing the Usability of Web Authentication Procedures: Comparing the Current Procedures of 20 WebsitesSustainability10.3390/su15141104315:14(11043)Online publication date: 14-Jul-2023
  • (2023)Balancing Password Security and User Convenience: Exploring the Potential of Prompt Models for Password GenerationElectronics10.3390/electronics1210215912:10(2159)Online publication date: 9-May-2023
  • (2023)Measuring Website Password Creation Policies At ScaleProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623156(3108-3122)Online publication date: 15-Nov-2023
  • (2023)Evaluating Password Composition Policy and Password Meters of Popular Websites2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00006(12-20)Online publication date: May-2023
  • (2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
  • (2023)Traditional AuthenticationContinuous Biometric Authentication Systems10.1007/978-3-031-49071-2_2(5-34)Online publication date: 29-Oct-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media