UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength

Becker, I; Parkin, S; Sasse, MA; (2018) The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength. In: 27th USENIX Security Symposium. (pp. pp. 239-253). USENIX Association Green open access

[img]
Preview
Text
Becker_sec18-becker.pdf - ["content_typename_Published version" not defined]

Download (461kB) | Preview

Abstract

We present an opportunistic study of the impact of a new password policy in a university with 100,000 staff and students. The goal of the IT staff who conceived the policy was to encourage stronger passwords by varying password lifetime according to password strength. Strength was measured through Shannon entropy (acknowledged to be a poor measure of password strength by the academic community, but still widely used in practice). When users change their password, a password meter informs them of the lifetime of their new password, which may vary from 100 days (50 bits of entropy) to 350 days (120 bits of entropy). We analysed data of nearly 200,000 password changes and 115,000 resets of passwords that were forgotten/expired over a period of 14 months. The new policy took over 100 days to gain traction, but after that, average entropy rose steadily. After another 12 months, the average password lifetime increased from 146 days (63 bits) to 170 days (70 bits). We also found that passwords with more than 300 days of lifetime are 4 times as likely to be reset as passwords of 100 days of lifetime. Users who reset their password more than once per year (27% of users) choose passwords with over 10 days fewer lifetime, and while they also respond to the policy, maintain this deficit. We conclude that linking password lifetime to strength at the point of password creation is a viable strategy for encouraging users to choose stronger passwords (at least when measured by Shannon entropy).

Type: Proceedings paper
Title: The Rewards and Costs of Stronger Passwords in a University: Linking Password Lifetime to Strength
Event: USENIX Security '18, 27th USENIX Security Symposium, 15-17 August 2018, Baltimore, Maryland, USA
Location: Baltimore, MD
Dates: 15 August 2018 - 17 August 2018
Open access status: An open access version is available from UCL Discovery
Publisher version: https://www.usenix.org/conference/usenixsecurity18...
Language: English
Additional information: This is the published version of record. For information on re-use, please refer to the publisher’s terms and conditions.
UCL classification: UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
URI: http://discovery.ucl.ac.uk/id/eprint/10051977
Downloads since deposit
25Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item