password strength usability studies?

19 Sep 2008 - 9:00am
5 years ago
13 replies
1960 reads
Meredith Noble
2010

Does anyone know of any studies that weigh various password strength
requirements (e.g. minimum 8 characters, one capital letter, one number
of symbol) with users' ability to remember the passwords?

Or, on a more practical level, reports that track password strength
requirements vs. increased calls to support / password reset requests?

My client wants increased security, but I don't want the users to go
nuts. Trying to find a happy medium.

Also, have you ever had a website ask you to change your password (long
after you originally registered)? Did it hugely annoy you or were you
pleased that they were tightening up?

Meredith

Meredith Noble
Information Architect, Usability Matters Inc.
416.598.7770 x16
meredith at usabilitymatters.com
http://www.usabilitymatters.com <http://www.usabilitymatters.com>

Comments

19 Sep 2008 - 9:26am
Mark Schraad
2006

Hi Meredith,

There is a lot of information in the area. In the 70's IBM did a lot
of research on this (as well as others). It mostly came out of IT and
human factors publications. I would imagine that in the era of
homeland security this is getting some additional funding.

When I worked in this field, we used to explain that usability and
security, at the extremes were two opposite ends of a continuum.
Adding to one nearly always compromised the other. I know it is a bit
simplistic, but it works as a quick explaination.

If you can get access to Forresters, I know they have a pile of info
on the topic, sorry I can't give you anything specific right now.

Mark

On Fri, Sep 19, 2008 at 10:00 AM, Meredith Noble
<meredith at usabilitymatters.com> wrote:
> Does anyone know of any studies that weigh various password strength
> requirements (e.g. minimum 8 characters, one capital letter, one number
> of symbol) with users' ability to remember the passwords?
>
>
>
> Or, on a more practical level, reports that track password strength
> requirements vs. increased calls to support / password reset requests?
>
>
>
> My client wants increased security, but I don't want the users to go
> nuts. Trying to find a happy medium.
>
>
>
> Also, have you ever had a website ask you to change your password (long
> after you originally registered)? Did it hugely annoy you or were you
> pleased that they were tightening up?
>
>
>
> Meredith
>
>
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
>
> Meredith Noble
> Information Architect, Usability Matters Inc.
> 416.598.7770 x16
> meredith at usabilitymatters.com
> http://www.usabilitymatters.com <http://www.usabilitymatters.com>
>
>
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

19 Sep 2008 - 12:38pm
Meredith Noble
2010

> When I worked in this field, we used to explain that usability and
> security, at the extremes were two opposite ends of a continuum.
> Adding to one nearly always compromised the other. I know it is a bit
> simplistic, but it works as a quick explaination.

Thanks, Mark. I am quite familiar with the usability-security continuum,
but I'm surprised as how few sites out there have concrete
recommendations on where the best place along the continuum is. I guess
it's still too controversial, but surely someone out there has some
opinions on what the best password policy is, trading off complexity /
"time to hack" and ability for users to remember. Perhaps, as you say,
they're all lurking in Forrester, which, sadly, I don't have access to!

Another person replied to me privately with the following blog post:
http://www.baekdal.com/articles/usability/password-security-usability/

The author talks about how long it would take a hacker to break certain
passwords. It's easy to calculate how long brute force attacks might
take, but it gets scary when you look at dictionary attacks.

I think my recommendation is going to be a weak-medium-strong entropy
indicator that takes dictionary words into account, plus restricting the
number of attempts the user can make within a time period.

I am EXTREMELY worried about forcing high entropy on people though... so
that's where I start sighing. Sigh.

Meredith

19 Sep 2008 - 12:52pm
Mark Schraad
2006

Well, the reality of the stringent password policy issue is that
people will find lazy workarounds unless they are invested in the
liability. Meaning... if it is their credit card that will be used,
they 'may' be concerned and motivated. I did quite a bit of
ethnography on this and collected a gallery of images - sticky notes
under keyboards, behind monitors, etc... the computer equivalent of
putting the car keys in the visor. The company was in the business of
offering a two factor authentication solution so we weren't
particularly interested in solving the specific usability problem of
passwords, but instead worked to solve the overarching problem with a
hardware component. If I can help any further Meredith, just let me
know.

Mark

On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble
<meredith at usabilitymatters.com> wrote:
>> When I worked in this field, we used to explain that usability and
>> security, at the extremes were two opposite ends of a continuum.
>> Adding to one nearly always compromised the other. I know it is a bit
>> simplistic, but it works as a quick explaination.
>
> Thanks, Mark. I am quite familiar with the usability-security continuum,
> but I'm surprised as how few sites out there have concrete
> recommendations on where the best place along the continuum is. I guess
> it's still too controversial, but surely someone out there has some
> opinions on what the best password policy is, trading off complexity /
> "time to hack" and ability for users to remember. Perhaps, as you say,
> they're all lurking in Forrester, which, sadly, I don't have access to!
>
> Another person replied to me privately with the following blog post:
> http://www.baekdal.com/articles/usability/password-security-usability/
>
> The author talks about how long it would take a hacker to break certain
> passwords. It's easy to calculate how long brute force attacks might
> take, but it gets scary when you look at dictionary attacks.
>
> I think my recommendation is going to be a weak-medium-strong entropy
> indicator that takes dictionary words into account, plus restricting the
> number of attempts the user can make within a time period.
>
> I am EXTREMELY worried about forcing high entropy on people though... so
> that's where I start sighing. Sigh.
>
> Meredith
>

19 Sep 2008 - 3:00pm
Meredith Noble
2010

> > I am EXTREMELY worried about forcing high entropy on people
though... so
> > that's where I start sighing. Sigh.

> Well, the reality of the stringent password policy issue is that
> people will find lazy workarounds unless they are invested in the
> liability. Meaning... if it is their credit card that will be used,

That's pretty much my problem. We don't think users really care that
much, because it's not a banking app. The most a hacker could find would
be the user's phone number, address, etc.

Unfortunately, that user doesn't see how that information could then be
used to phish them, and install spyware. The consequences to my client
of that kind of attack are pretty huge, but a user doesn't foresee
something like that. So the interests of the company and the interests
of the users aren't really aligned.

That leaves forcing users to have strong passwords, which leads to
either a) annoyance & forgetfulness or b) sticky notes. The users of the
app are distributed -- so I'm wondering whether sticky notes really
matter that much.

I could see sticky notes being a problem if the sticky note is attached
to the very computer the password logs into. But if the sticky note is
for some random website? The person who wants the info on my client's
website is a large scale scammer -- not likely to browse through random
offices looking for sticky notes, you know?

I guess I'm convincing myself that perhaps sticky notes don't matter SO
much in this situation, and therefore it wouldn't be the end of the
world to force users to go for more complex passwords, that resist a
standard brute-force attack.

Wondering if I'm making any sense...

Meredith

19 Sep 2008 - 2:36pm
Katie Albers
2005

Okay, this isn't strictly speaking about password usability...but
it's an issue that concerns me. It's my belief that this represents
the usability end of the continuum.

My bank (yes, that's right...my *bank*) uses a method that they swear
is extremely difficult to hack (in fact, the switched over to this
system for "enhanced security" purposes): you enter your account
number, press login, and you're taken to a page that has your
password embedded in a graphic (a pretty background picture that you
get to choose) as a graphic...in case that's hard for you to read, it
appears in text below the graphic. typing in that password gives you
full access to all banking capabilities. You can't use anything but
alphanumeric characters in your password; they insist on one number.

Can anyone here see *anything* about this that qualifies as security?
It seems to me that all I have to do is write a check to one
untrustworthy person, get my purse stolen, apply for direct deposit
with an $8./hr clerk with an attitude and I'm hosed.

Katie

At 1:52 PM -0400 9/19/08, mark schraad wrote:
>Well, the reality of the stringent password policy issue is that
>people will find lazy workarounds unless they are invested in the
>liability. Meaning... if it is their credit card that will be used,
>they 'may' be concerned and motivated. I did quite a bit of
>ethnography on this and collected a gallery of images - sticky notes
>under keyboards, behind monitors, etc... the computer equivalent of
>putting the car keys in the visor. The company was in the business of
>offering a two factor authentication solution so we weren't
>particularly interested in solving the specific usability problem of
>passwords, but instead worked to solve the overarching problem with a
>hardware component. If I can help any further Meredith, just let me
>know.
>
>Mark
>
>On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble
><meredith at usabilitymatters.com> wrote:
>>> When I worked in this field, we used to explain that usability and
>>> security, at the extremes were two opposite ends of a continuum.
>>> Adding to one nearly always compromised the other. I know it is a bit
>>> simplistic, but it works as a quick explaination.
>>
>> Thanks, Mark. I am quite familiar with the usability-security continuum,
>> but I'm surprised as how few sites out there have concrete
>> recommendations on where the best place along the continuum is. I guess
>> it's still too controversial, but surely someone out there has some
>> opinions on what the best password policy is, trading off complexity /
>> "time to hack" and ability for users to remember. Perhaps, as you say,
>> they're all lurking in Forrester, which, sadly, I don't have access to!
>>
>> Another person replied to me privately with the following blog post:
> > http://www.baekdal.com/articles/usability/password-security-usability/
>>
>> The author talks about how long it would take a hacker to break certain
>> passwords. It's easy to calculate how long brute force attacks might
>> take, but it gets scary when you look at dictionary attacks.
>>
>> I think my recommendation is going to be a weak-medium-strong entropy
>> indicator that takes dictionary words into account, plus restricting the
>> number of attempts the user can make within a time period.
>>
>> I am EXTREMELY worried about forcing high entropy on people though... so
>> that's where I start sighing. Sigh.
>>
>> Meredith
>>
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>Unsubscribe ................ http://www.ixda.org/unsubscribe
>List Guidelines ............ http://www.ixda.org/guidelines
>List Help .................. http://www.ixda.org/help

--
Katie Albers, Senior Director
Web-Based Services
Mary-Margaret Network
Find. Grow. Work. Play.
+1 310 356 7550 (voice)
+1 877 662 3777 x 709
katie at mary-margaret.com
http://www.mary-margaret.com

19 Sep 2008 - 2:25pm
Meredith Noble
2010

Brett brings up another possibility - has anyone ever implemented
passphrases or graphical passwords on their websites? I've never seen
them on the web (only in non-web applications, like passphrases for WEP
keys).

I'm curious if there are any downsides to passphrases in particular. I
don't think I would force users to use a passphrase, but I'm interested
in suggesting it to them as a more secure option. (I doubt my client has
the resources for a graphical password system at this point.)

Brett, just to play devil's advocate, the downsides to your proposed
system seem to be:

- only 28 potential characters -- so there are only 28^L possibilities
for the password (where L is the length of the password), whereas a
regular keyboard gives you 96^L possibilities (although L could be left
open, most users would probably keep it fairly low so they could more
easily remember the password)

- people could easily watch you over your shoulder

- hackers could probably try patterns first - Vs, Ls, etc.

- because not all letters / numbers are available, you can't create a
password with much personal meaning to you.

Meredith

19 Sep 2008 - 3:34pm
Meredith Noble
2010

> system for "enhanced security" purposes): you enter your account
> number, press login, and you're taken to a page that has your
> password embedded in a graphic (a pretty background picture that you
> get to choose) as a graphic...in case that's hard for you to read, it
> appears in text below the graphic. typing in that password gives you
> full access to all banking capabilities. You can't use anything but
> alphanumeric characters in your password; they insist on one number.

Wow... that's a little crazy. I've never heard of such a thing. I
thought you were about to describe SiteKeys at first -- where you:

1) Enter your username
2) Go to a second page, see your 'secure image'
3) Enter password on that page
4) Gain access to the site

And even those are completely attackable. (For the curious, see:
http://tinyurl.com/2ghkxt)

But what you described sounds asinine. I hope you're planning on
switching banks!

Meredith

19 Sep 2008 - 1:40pm
Anonymous

Meredeth,
I don't know if this is too 'James Bond' for you or if I'm just totally
crazy, but I designed this image for you to look at. Being in the military
and working in several police stations I have witnessed high
security-guarded areas including Parameter-based Access Stations.

(Pass the yellow line while someone else is gaining entry and you will
literally be shot)
I'm sure you've heard of Graphical Password techniques, many real-life
industrial designers use them for such things as gaining entry to a
department, car or to execute a certain action on a control panel or
cockpit.
Graphical Passwords are still not widely used but there are several
advantages to it. (Please note that the wording, character symbols, colours,
etc., are simply there to serve as an example.)
Advantages are:
1. The user is able to physically see their pad-selection
2. It is impossible for an intruder to know how many characters are needed
(Whether it's 8, 9, 10, 11, 12, 13, 14, 15, 16 digits long)
3. User is prompted to pay attention due to the 24 hour lockdown possibility
4. User has been informed that their IP address has been recorded
5. User has been informed that they only have 2 chances to enter
6. The character symbols can be whatever the team decides for it to be
7. Physical combinations are easier to remember then straight jargon
password (e.g., someone can punch in a pattern of a cross, or 'V' shaped
symbol)

I have not thoroughly investigated this, and I'm not totally sure what the
disadvantages are.
Maybe we can open this up for discussion?

I hope this has been a form of help or inspiration to you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: meredeth.gif
Type: image/gif
Size: 14252 bytes
Desc: not available
URL: <http://lists.interactiondesigners.com/pipermail/discuss-interactiondesigners.com/attachments/20080919/f17b293f/attachment.gif>

19 Sep 2008 - 3:23pm
Anonymous

"people could easily watch you over your shoulder"

Just use the yellow line Meredeth...the good ol yellow line!

You are absolutely right about your points of disadvantages. Remember, my
example comes from actual military experience.
1. No one can cross the yellow line or you'll get shot so there's no problem
with anyone looking.
2. Security clearance is way to high for hackers or foreign intruders to
enter premises
3. Passwords have no personal meaning so you either remember or get charged
for forgetting.

By the way I never had any personal clearance for this kind of thing. But I
witnessed it regularly.

Like I said, I have not studied this through but I do hope that there is a
solution in graphical form simply because I (personally) relate to graphics
and symbols.
Whatever your solution is, I would be really interested in hearing about it.

19 Sep 2008 - 5:14pm
Calvin
2008

Not sure if I am totally off-topic, but speaking of password, I have
got a couple pretty cool and secure ideas about authentication which
I heard from a podcast called "Security Now".

The "Perfect Paper Password" (http://www.grc.com/securitynow.htm
episode #115 and #117) Is an open-source program that can generate a
bunch of one-time only PINs that is meant to be printed on a paper
and kept in your wallet.

The Ubikey (http://www.grc.com/securitynow.htm Episode #143) a tiny
USB dougle that has only one button on it that generates a one time
PIN when pressed. The authentication engine is totally open-source
and free.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=33174

21 Sep 2008 - 6:35am
Håkan Reis
2006

Hi,

I would definitely consider enforcing pass phrases. At Coding
Horror<http://www.codinghorror.com/blog/archives/000342.html>you can
find a lot of information regarding password and security both from
a technical standpoint (never store the password, just the salted hash) and
from the users standpoint. I now use phrases everywhere and it's both easy
to remember and easy to modify for each site.

My biggest problem now is that many sites and prevents longer phrases and
stops at 10-15 characters, and don't allow spaces.

A "secure" policy like 8 letter, special characters, with the addition of
forcing the user to change every 30/60/90 days. Always leads to the simplest
possible password like "Computer001!", "Computer002!", etc. It follows the
rules but are extremely easy to brute force hack.

I think that graphical security is harder to handle at the moment because
people are not as used to work with them but it might change over time.

Regards
---
Håkan Reis
Dotway AB
+46(768)510033

My blog || http://blog.reis.se
My company || http://dotway.se
Our conference || http://oredev.org - See you in 2008

On Sat, Sep 20, 2008 at 00:14, Calvin <jeepu at jeepu.net> wrote:

> Not sure if I am totally off-topic, but speaking of password, I have
> got a couple pretty cool and secure ideas about authentication which
> I heard from a podcast called "Security Now".
>
> The "Perfect Paper Password" (http://www.grc.com/securitynow.htm
> episode #115 and #117) Is an open-source program that can generate a
> bunch of one-time only PINs that is meant to be printed on a paper
> and kept in your wallet.
>
> The Ubikey (http://www.grc.com/securitynow.htm Episode #143) a tiny
> USB dougle that has only one button on it that generates a one time
> PIN when pressed. The authentication engine is totally open-source
> and free.
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Posted from the new ixda.org
> http://www.ixda.org/discuss?post=33174
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

21 Sep 2008 - 3:24pm
jet
2008

I haven't seen this posted yet, Bruce Schneier on how to pick a secure
password. Some good information in here, and while he's not a usability
expert, Schneier totally gets the security-vs-usability problem:

<http://www.schneier.com/blog/archives/2007/01/choosing_secure.html>

--
jet / KG6ZVQ
http://www.flatline.net
pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

24 Sep 2008 - 5:27am
tamlyn
2008

> I think my recommendation is going to be a weak-medium-strong entropy
> indicator that takes dictionary words into account

I was user testing a sign-up form that included a password strength
indicator recently. It had three states "Too Short" (which prevented
users from submitting the form), "Weak" and "Strong". The only users
who paid any attention to the strength indicator were those who
initially chose a password which was "Too Short" and all they did was
add a few characters until the display changed to "Weak" then resubmit
the form. Only one out of 6 users ended up choosing a password which
was "Strong" and that didn't appear to be as a result of using the
password strength indicator.

Tamlyn.

Syndicate content Get the feed