UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

The true cost of unusable password policies: password use in the wild

Inglesant, PG; Sasse, MA; (2010) The true cost of unusable password policies: password use in the wild. In: Proceedings of the 28th international conference on Human factors in computing systems. (pp. 383 - 392). ACM: New York, NY, USA. Green open access

PDF - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader


HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.

Type:Proceedings paper
Title:The true cost of unusable password policies: password use in the wild
Event:28th international conference on Human factors in computing systems (CHI 2010)
Location:Atlanta, GA, USA
Dates:2010-04-12 - 2010-04-15
Open access status:An open access version is available from UCL Discovery
Publisher version:http://dx.doi.org/10.1145/1753326.1753384
Additional information:"© ACM 2010. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in roceedings of the SIGCHI Conference on Human Factors in Computing Systems, http://dx.doi.org/10.1145/1753326.1753384."
UCL classification:UCL > School of BEAMS > Faculty of Engineering Science > Computer Science

View download statistics for this item

Archive Staff Only: edit this record