MIPRO 2014, 26-30 May 2014, Opatija, Croatia
Password security – no change in 35 years?
Viktor Taneski*, Marjan Heričko* and Boštjan Brumen*
* University of Maribor, Faculty of electrical engineering and computer science/Institute of Informatics, Maribor,
Slovenia
viktor.taneski@uni-mb.si, marjan.heričko@uni-mb.si, bostjan.brumen@uni-mb.si
Abstract - BACKGROUND: Textual passwords were first
identified as a weak point in information system’s security
by Morris and Thompson in 1979. They found that 86% of
the passwords were weak: being too short, containing
lowercase letters only, digits only or a combination of the
two, being easily found in dictionaries. OBJECTIVE:
Despite the importance of passwords as the first line of
defense in most information systems, little attention has
been given to the characteristics of their actual use. Thus,
the objective of this paper is to identify any problems that
may arise in creating and using textual passwords.
METHOD: A systematic literature review of studies in the
area of password use and password security. Our research is
restricted to articles in journals and conference papers
written in English and published between 1979 and 2014.
The search is conducted through IEEEXplore,
ScienceDirect, Springer Link and ACM Digital Library.
RESULTS: The computer community has not made a very
much-needed shift in password management for more than
35 years. Users and their passwords are still considered the
main weakness in any password system, because users often
choose easily guessable passwords: words, names,
birthdates, etc., because they are easy to remember.
CONCLUSION: Password policies and password checkers
can help users create strong and easy-to-remember
passwords. This work will serve as a starting point for our
further research in this area where we want to determine
whether these password policies are useful to the users, and
whether the users can easily apply them.
I. INTRODUCTION
Typically, a user is authenticated based on one of the
three underlying principles: “what you know” (e.g. textual
or graphical passwords), “what you are” (e.g. retina, iris,
voice and fingerprint scans) and “what you have” (e.g.
smart cards or other tokens). The passwords that fall under
the category of “what you know” can be divided into
textual passwords and graphical passwords [24][29]–
[31][45]. In this study, we focus particularly on the textual
passwords and their security simply because they are still
the most common method for authentication.
More than 30 years ago, Morris and Thompson [3]
identified textual passwords as a weak point in
information system’s security. They found out that
majority of users’ passwords (87% of them) were short,
contained only lowercase letters or digits or were easily
found in dictionaries. Because the use of passwords has
always been, and continues to be, one of the most
common control mechanisms for authenticating users of
computerized information systems, it was expected that
Morris and Thompson would have raised the awareness of
1360
system users about the consequences of how they choose
their passwords. However, despite the widespread use of
passwords and their importance as the first line of defense
in most information systems, little attention has been
given to the characteristics of their actual use.
The objective of this paper is to perform a systematic
literature review of studies in the area of textual
passwords and textual passwords security. We conduct
our review following the guidelines proposed in [1]. The
rationale for conducting the review is threefold. The first
reason is to identify any problems that may arise in
creating and using textual passwords. Secondly, to
appraise the current situation of passwords with respect to
the passwords strength, password management and
password memorability. Thirdly, to find out what is the
relationship between users and the textual passwords they
use (are the users still “the weakest link?”).
The reminder of this paper is organized as follows: the
research method is described in Section II, while Section
III represent the review results and the answers to our
research questions. Section IV concludes the paper and
presents plans for future work.
II. RESEARCH METHOD
A. Research Questions
We use the PICOC (Population, Intervention,
Comparison, Outcomes, Context) [2] structure for
formulating the research questions. Table 1 represents the
selected criteria for the PICOC structure. Considering the
three parts in Table 1, we formulate the following research
questions:
x RQ1: What are the major problems with creating
and managing textual passwords?
x RQ2: What is the current situation of textual
passwords with respect to password strength,
password management and password
memorability?
x RQ3: What is the relationship between users and
textual passwords? Are the users still "the weakest
link"?
Our population represents the textual passwords, while
the intervention are the different techniques and
technologies used for creating and manipulating textual
passwords. We do not compare textual passwords with
other types of passwords, since our subject of interest are
strictly textual passwords. The outcomes refer to the

TABLE I. THE PICOC STRUCTURE
Population Textual passwords
Techniques and technologies for creating
Intervention
and managing textual passwords
Comparison / graphical passwords or any other type of user
Problems when creating and managing
Outcome
textual passwords
Context / not always extensive, we do not always have a clear
problems that may arise in creating and using (or
manipulating) textual passwords.
B. Search Strategy
Our literature search strategy is organized in two
phases: initial search and reference search.
The initial search for relevant studies is performed
over electronic data sources – digital libraries. When
selecting the digital libraries, we took into account the
recommendations from the literature [1] and also our
knowledge and practical experience and the fact that we
do not have access to all the digital databases. This initial
search is conducted through the digital databases
IEEEXplore, ScienceDirect, SpringerLink and ACM
Digital Library.
We composed a search string by deriving major search
terms from our research questions and by using Boolean
OR to link the major search terms:
(“password security” OR “password strength” OR
“password memorability” OR “password cracking”
OR “password management”)
The search of the electronic databases is restricted to
articles in journals, conference papers and book chapters
written in English and published since 1979, i.e. this is the
year when the first article in the area of password security
was published.
The reference search is conducted by reviewing the
reference lists of primary studies and the review articles
addressing the password security [3], [4] and [5].
C. Selection Criteria
The search is performed by using the search string and
the search result is a set of documents in which the search
string appears partially or entirely. However, in some
cases, the search string outputs a study whose topic is in a
different field of study. Because of such cases, we also
performed a subsequent semantic checking by reading the
titles and abstracts of these documents and selecting the
documents that are consistent with our research area. This
selection is carried out in an objective manner, using
inclusion and exclusion criteria. In order to select the
relevant documents, we define the following inclusion and
exclusion criteria:
Inclusion – a study focuses on textual passwords only
(“what you know”):
x the study focuses on password security or
presents method(s) for password creation
1361
x the study deals with issues or problems with
password use, password management or
password memorability
Exclusion – a study is not peer-reviewed, or the study
deals with computer security in general, cryptography,
authentication (biometrics, tokes or smart cards etc.).
Because the titles and abstracts of the documents are
indication if the document meets the specified criteria. If
this is the case, we take a further step and read the whole
document to determine whether the data meet the
inclusion and exclusion criteria.
III. RESULTS
Table 2 lists the results from the initial search. The
search into 4 electronic databases found 58 relevant
primary studies. The third column in the table represents
the number of studies that are duplicates, i.e. studies that
have already occurred in another digital database. We can
see from the table that the ACM Digital Library
contributed the largest number of documents (42) and also
the largest number of duplicates (20). The column “Total
relevant studies” shows the total number of documents
from each source, but in this case documents that have
already appeared in the a previous source are not included.
The review of the references of the primary studies found
additional 9 documents that were not found by the initial
search of the electronic databases, thereby increasing the
number of total relevant documents to 67.
Next, we present the results of our review and the
answers to the research questions.
RQ1: What are the major problems with creating and
managing textual passwords?
We observe that 17 ([3]-[18][68]) out of 67 studies,
address the issue of password security, password use or
re-use, and are suitable for answering the first research
question.
As already mentioned earlier, Morris and Thompson
[3] were the first authors that addressed the issue of
password security in 1979. They observed problems
regarding to the accessibility and availability of the
password file in the UNIX system. They also conducted
experiments in order to determine typical users’ habits
about the choice of passwords and noticed that users of
the system chose passwords that are short, simple and
from a restricted character set (e.g. alphanumeric
password with all lower-case letters). Ten years later
authors in [4] concluded that, in order to maximize the
difficulty of password cracking and to prevent the fast,
simple attacks, systems should implement passwords
policies that will require the passwords to contain certain
amount of entropy.
On the other hand, higher entropy makes a password
more difficult for a user to memorize [13]. Further
research has shown that despite password policies’
recommendations and the efforts by information system
professionals to educate users about secure password
policies, users still tend to choose passwords that are

TABLE II. SUMMARY OF FOUND AND SELECTED STUDIES
Duplicates Total
Electronic Found Relevant
found relevant
database studies studies
elsewhere studies
IEEEXplore 89 15 0 15
ScienceDirect 76 6 0 6 accounts but are not creating more passwords.
SpringerLink 847 15 0 15
ACM Digital
1203 42 20 22
Library
Total 2215 78 20 58
simple and easy to remember [5]. This particular study [5]
showed that user-created passwords are still based on
user's personal data or a combination of meaningful
details. Adams and Sasse [7] conducted a study of
password related user behaviors, including password
construction, frequency of use, password recall and work
practices. They concluded that their participants lacked
security motivation and understanding of password
policies, and tended to circumvent password restrictions
for the sake of convenience.
Because of the rapid growth of the popularity of
Internet technology and e-commerce and the increased
number of online services requiring password based
authentication, users have to maintain many different
accounts [15]. Different passwords should be used for
every account so that no single password cracking will
lead to compromising the other accounts [10], thus users
have to remember multiple passwords.
In order to provide better password security i.e. to
ensure that a stolen password will become unusable more
or less quickly, some password security mechanisms and
password policies include forced password change
(password aging). This results with the user having many
different accounts to maintain and many different
passwords to remember that are changing frequently
because of password security mechanisms. Password
aging is a very serious problem, because of the lack of
warning users receive before their password is about to
expire. If the system insist on users changing their
password during the login procedure, denies them the time
to think about choosing a good one [6]. Forcing password
change too frequently may make the user to quickly
forget the password [5][13], or to write it down
[5][8][9][14], which is another “bad habit” noted in the
literature regarding to password security.
One of the most common vulnerability, which is also
most frequently cited in the literature, associated with
password security is the password re-use (using the same
password, or a very similar one, for more than one secure
item) [9][10][11][12][14][15][16][17][18]. The results of
studies [9][17] show that duplicating passwords is a very
common practice. In such an environment, where one
password is used for authentication for several different
accounts (an average user has about 25 different password
accounts [12]), password re-use can cause serious damage,
if the password is successfully cracked, for a single (not-
so-important) account. Information may be revealed that
will aid the hackers in infiltrating other systems,
1362
potentially leading to the fall of many other systems
(including the ones that are far more secure that the first
one) [10]. Users must lower their overall password
quality, in order to cope with the password overload [68].
According to [11], duplicating passwords is more likely to
become more problematic in the future as password reuse
rates are increasing because people are accumulating more
RQ2: What is the current situation of textual
passwords with respect to password strength, password
management and password memorability?
From all collected documents, we can observe that in
the period of 35 years different methods and approaches
for creating and easily memorizing and managing textual
passwords were developed ([19]-[58][64]-[67][69] 45 out
of 67 studies).
The earliest approach that deals with the problem of
creating passwords that are memorable and difficult to
guess, is the use of cognitive passwords. Cognitive
passwords represent a dialog between a user and a system.
The dialog is a actually a rotating set of randomly chosen
questions out of a set of predefined questions, previously
selected by the user [20]. Cognitive passwords are more
readily recalled than conventional passwords and are also
more difficult to guess [20][21][23]. The only possible
issues are the issue of time needed for authentication of
user access and that remembering many cognitive
passwords may be harder for the user [20][21].
Similar to cognitive passwords are associative
passwords. This alternative is based on a single-word cue
and a one-word response, instead of whole questions and
answers [21]. Just like with cognitive passwords, the only
possible problem is that a user would likely not remember
many associative passwords [21][54].
Passphrases and mnemonic-based passwords are
another alternative for conventional passwords. A
passphrase is basically an extended password, which
consists of a meaningful sequence of words. It is designed
to form a compromise between ease of memorability and
difficulty of guessing it [21]. It turned out that passphrases
are no harder to remember and are more resistant to brute-
force attacks than conventional passwords [35][21]. But
[35] also found out that passphrase users initially
experienced a significantly higher number of login failures
due to typographical errors, which can be one downside of
passphrases. Mnemonic-based passwords present an
alternative for passphrases and are also one of the earliest
approaches [19]. They are basically a short passphrase
where a character (often the first letter) is used to
represent each word of the passphrase (e.g. “I love to ski
at Seven Springs!” transforms into “Ilts@7S!”) [32]. They
are difficult to guess, but are also almost equally safe as
the random passwords, and equally easy to remember as
the naively selected passwords [27][43]. The only
downside of mnemonic-based passwords is that users
often select phrases from music lyrics, movies, literature,
or television shows, which are often available on the
internet. This opens the possibility that a dictionary of
mnemonic passwords can be built, so authors in [32]
conclude that mnemonic passwords should not be treated
as a solution for the problems mentioned earlier in this
section.
We mentioned password policies earlier as a
mechanism for encouraging users to create and use strong
and easy to crack passwords. But the literature shows that
users do not comply with such recommendations and
policies [28][33][47][51][53]. This usually happens
because password policies are too inflexible to match
users’ capabilities, and the tasks and contexts in which
they operate [47][66]. So, other studies conclude that
password policies should be adjusted for different focus
groups and should be more aware of the increasing burden
users have managing passwords [39][57][67]. If we start
to enforce stricter password policies without a thorough
explanation and user training, this has almost no effect
[57][64]. This can create a conflict between users’
perception and the enforced practice – we can only ran
into some of the already mentioned problems regarding to
password security [47][52].
Some authors even propose that administrators should
pro-actively attempt to crack passwords in their systems,
in order to estimate the risk of password-guessing attacks,
such as [69]. Password breaking mechanisms may also be
used for data recovery purposes, as suggested in [69].
A proactive password checker is one possible
solution to prevent users from creating easily guessed
passwords and to also encourage them to adhere to
password policies. Password checkers are proposed in
some of the studies we analyze, including [22][25][26]
[44][65]. But password security is not a problem that can
be solved only by technical means. Human factors are also
very important (which is basically the problem with
password policies) [25]. A further research is needed in
order to find out how to create password policies that are
acceptable to users and that can create secure passwords.
A few studies propose a technique of “persuading”
users to choose better passwords, rather than to instruct
them or impose new password schemes, because they
believe that improved instructions and new password
schemes may not be the solution [36][40].
Passfaces and graphical passwords are not originally
our subject of interest but, since they are potential
substitute for textual passwords, we decided to include
only those studies where the security of graphical
passwords is discussed. Studies [24][29]–[31][45] show
that passfaces and graphical passwords actually provide a
better security than textual passwords. The only downside
with graphical password is that the password registration
and log-in process take very long and the authentication
procedure is different than that using textual passwords.
This requires redesign of the existing software.
It seems that users are more aware about password
security and the importance of creating strong and hard to
guess passwords [48]. The results indicate that, according
to the amount of characters, passwords became little more
secure over time (a study in Greece shows that the average
password length is slightly less than 7 characters)
[49][56]. Despite that, users still tend to use less secure
passwords (which are composed only of lowercase letters,
uppercase letters or numbers), to write their passwords
1363
down or to share them with their friends and they also
rarely change their passwords [34][38][46]. Password
requirements may have something to do with this, since
[42] found out that the majority of the websites that have
passwords requirements, do not keep pace with the
progress in the area of password security and rarely
change od update their passwords requirements. In the
following years we can expect that the security of any
system that is based on passwords will be equivalent to
the availability of the material for passwords disclosure
and not how random and strong passwords are [58].
Therefore, stronger passwords may not be necessary
(especially for smaller institutions with hundreds rather
than millions of users), as long as the security protocols
are well designed (e.g. three unsuccessful logins freezes
the account for a time) [37]. Users can also be encouraged
to design strong passwords, using elements associated
with a given service, together with a personal factor [55].
The growth of web-based services will demand
memorizing even more passwords in the future, so some
other usable alternatives to textual passwords may have to
be found [41][56]. Due to the widespread use of the World
Wide Web and the increased number of Web accounts that
a user has to maintain, we still encounter with the majority
of the already discussed problems [34][50].
RQ3: What is the relationship between users and their
textual passwords? Are the users still "the weakest link"?
The rest of the studies (5 out of 67) address the issue
of the user as the weakest link in password security
[59][60][61][62][63]. From the studies that we have
already analyzed, we can observe that the user behavior is
a very common issue in the area of password security and
many security departments treat users as a security risk
that needs to be controlled. Authors in [59] and [60] argue
that the usability of the security mechanism has rarely
been investigated. Users usually are not aware about the
security threats and the importance of security and
password mechanism are currently badly matched to
users’ capabilities and their tasks. These are the challenges
arising from the lack of communication between users and
organizations (or their security services), which leads to
the development of useless security mechanisms [59][60].
Therefore it is maybe necessary for password mechanisms
to apply a user-centric approach for designing “usable
security” (i.e. human factors should be given priority over
technological factors) [62][63]. On the other hand, authors
in [61] claim that users are the enemies of the system
(willingly or unwillingly) and security policies should be
applied appropriately according to the user's type. They
argue that ignorant users have to be educated about
security mechanisms, and non-copliant users have to be
persuaded to follow the security best practices.
According to this, we can not conclude if the users are
still the enemy of a system and we aggree that a further
research in this area is needed.
IV. CONLUSION
The results of our review show that the computer
community has not made a very much-needed shift in
password management for more than 35 years. It seems
nothing has changed since Morris and Thompson
addressed the issue of password security and published
their results in 1979. For example, an average user has 8.5
different Web accounts, 6.5 passwords (each of which is
shared across 3.9 different websites), resulting in users to
very often forget their passwords or write them down
[12][34][50]. Besides that, users still tend to create
passwords based on their personal characteristics. Users
and their passwords are still considered the weakest link –
the main weakness in any password system is that users
often choose easily guessable passwords: words, names,
birthdates, etc., because they are easy to remember. One
way to decrease password guessability is to restrict the
passwords accepted from the user by using a system (e.g.,
a password checker) that filters out easily guessed
passwords. Password checkers require that passwords
have certain characteristics (usually defined in a password
policy) before they are accepted by the system when the
user enters a password. Password policies and password
checkers can help users create strong and easy-to-
remember passwords. However, despite password policy
advice, users still tend towards creating weak and easy-to-
guess passwords. This work will serve as a starting point
for our further research in this area where we want to
determine whether these password policies are useful to
the users, and whether the users can easily apply them or
the policies cause them problems when creating and using
passwords.
REFERENCES
[1] B. Kitchenham and S. Charters, “Guidelines fro performing
Systematic Literature Reviews in Software Engineering,”
2007.
[2] M. Petticrew and H. Roberts, Systematic Reviews in the Social
Sciences - A Practical Guide, 1 edition. Wiley-Blackwell,
2006, p. 352.
[3] R. Morris and K. Thompson, “Password Security: A Case
History,” Commun. ACM, vol. 22, no. 11, pp. 594–597, Nov.
1979.
[4] D. Feldmeier and P. Karn, “UNIX Password Security - Ten
Years Later,” in in Advances in Cryptology — CRYPTO’ 89
Proceedings SE - 6, vol. 435, G. Brassard, Ed. Springer New
York, 1990, pp. 44–63.
[5] M. Zviran and W. J. Haga, “Password Security: An Empirical
Study,” J. Manage. Inf. Syst., vol. 15, no. 4, pp. 161–185,
1999.
[6] M. Bishop, “Password management,” Compcon Spring ’91.
Digest of Papers. pp. 167–169, 1991.
[7] A. Adams, M. A. Sasse, and P. Lunt, “Making Passwords
Secure and Usable,” in Proceedings of HCI on People and
Computers XII, 1997, pp. 1–19.
[8] E. F. Gehringer, “Choosing passwords: security and human
factors,” Technology and Society, 2002. (ISTAS’02). 2002
International Symposium on. pp. 369–373, 2002.
[9] A. S. Brown, E. Bracken, S. Zoccoli, and K. Douglas,
“Generating and remembering passwords,” Applied Cognitive
Psychology, vol. 18, no. 6, pp. 641–651, Sep. 2004.
[10] B. Ives, K. R. Walsh, and H. Schneider, “The Domino Effect
of Password Reuse,” Commun. ACM, vol. 47, no. 4, pp. 75–
78, Apr. 2004.
[11] S. Gaw and E. W. Felten, “Password Management Strategies
for Online Accounts,” in Proceedings of the Second
Symposium on Usable Privacy and Security, 2006, pp. 44–55.
[12] D. Florencio and C. Herley, “A Large-scale Study of Web
Password Habits,” in Proceedings of the 16th International
Conference on World Wide Web, 2007, pp. 657–666.
[13] P. Cisar and S. M. Cisar, “Password – a Form of
Authentication.” 2007.
1364
[14] P. Hoonakker, N. Bornoe, and P. Carayon, “Password
Authentication from a Human Factors Perspective : Results of
a Survey among End-Users,” pp. 459–463, 2009.
[15] G. Notoatmodjo and C. Thomborson, “Passwords and
Perceptions,” in Proceedings of the Seventh Australasian
Conference on Information Security - Volume 98, 2009, pp.
71–78.
[16] P. Tarwireyi, S. Flowerday, and A. Bayaga, “Information
security competence test with regards to password
management,” Information Security South Africa (ISSA),
2011. pp. 1–7, 2011.
[17] S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov,
and C. Herley, “Does My Password Go Up to Eleven?: The
Impact of Password Meters on Password Selection,” in
Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems, 2013, pp. 2379–2388.
[18] M. Jakobsson and M. Dhiman, “The Benefits of
Understanding Passwords,” in in Mobile Authentication SE -
2, Springer New York, 2013, pp. 5–24.
[19] B. F. Barton and M. S. Barton, “User-friendly Password
Methods for Computer-mediated Information Systems,”
Comput. Secur., vol. 3, no. 3, pp. 186–195, 1984.
[20] M. Zviran and W. J. Haga, “Cognitive passwords: The key to
easy access control,” Computers & Security, vol. 9, no. 8, pp.
723–736, 1990.
[21] M. Zviran and W. Haga J., “A Comparison of Password
Techniques for Multilevel Authentication Mechanisms,” vol.
36, no. 3, 1993.
[22] M. Bishop and D. V Klein, “Improving system security via
proactive password checking,” Computers & Security, vol. 14,
no. 3, pp. 233–249, 1995.
[23] J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-
Moffat, “Cognitive, associative and conventional passwords:
Recall and guessing rates,” Computers & Security, vol. 16, no.
7, pp. 629–641, 1997.
[24] S. Brostoff and Ma. Sasse, “Are Passfaces More Usable Than
Passwords? A Field Trial Investigation,” in in People and
Computers XIV — Usability or Else! SE - 27, S. McDonald,
Y. Waern, and G. Cockton, Eds. Springer London, 2000, pp.
405–424.
[25] J. J. Yan, “A Note on Proactive Password Checking,” in
Proceedings of the 2001 Workshop on New Security
Paradigms, 2001, pp. 127–135.
[26] R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G.
Salvendy, “Improving computer security for authentication of
users: influence of proactive password restrictions.,” Behavior
research methods, instruments, & computers : a journal of the
Psychonomic Society, Inc, vol. 34, no. 2, pp. 163–9, May
2002.
[27] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password
memorability and security: empirical results,” Security &
Privacy, IEEE, vol. 2, no. 5. pp. 25–31, 2004.
[28] W. C. Summers and E. Bosworth, “Password Policy: The
Good, the Bad, and the Ugly,” in Proceedings of the Winter
International Synposium on Information and Communication
Technologies, 2004, pp. 1–6.
[29] D. Davis, F. Monrose, and M. K. Reiter, “On User Choice in
Graphical Password Schemes,” in Proceedings of the 13th
Conference on USENIX Security Symposium - Volume 13,
2004, p. 11.
[30] F. Monrose and M. K. Reiter, “Graphical Passwords,” pp.
161–180, 2005.
[31] X. Suo, Y. Zhu, and G. S. Owen, “Graphical passwords: a
survey,” Computer Security Applications Conference, 21st
Annual. p. 10 pp.–472, 2005.
[32] C. Kuo, S. Romanosky, and L. F. Cranor, “Human Selection
of Mnemonic Phrase-based Passwords,” in Proceedings of the
Second Symposium on Usable Privacy and Security, 2006, pp.
67–78.
[33] C. P. Garrison, “Encouraging Good Passwords,” in
Proceedings of the 3rd Annual Conference on Information
Security Curriculum Development, 2006, pp. 109–112.
[34] S. Riley, “Password Security : What Users Know and What
They Actually Do,” vol. 8, no. 1, 2006.
[35] M. Keith, B. Shao, and P. J. Steinbart, “The usability of
passphrases for authentication: An empirical field study,”
International Journal of Human-Computer Studies, vol. 65,
no. 1, pp. 17–28, 2007.
[36] A. Forget, S. Chiasson, and R. Biddle, “Helping Users Create
Better Passwords: Is This the Right Approach?,” in
Proceedings of the 3rd Symposium on Usable Privacy and
Security, 2007, pp. 151–152.
[37] D. Florêncio, C. Herley, and B. Coskun, “Do Strong Web
Passwords Accomplish Anything?,” in Proceedings of the
2Nd USENIX Workshop on Hot Topics in Security, 2007, pp.
10:1–10:6.
[38] D. Hart, “Attitudes and Practices of Students Towards
Password Security,” J. Comput. Sci. Coll., vol. 23, no. 5, pp.
169–174, 2008.
[39] S. Farrell, “Password Policy Purgatory,” Internet Computing,
IEEE, vol. 12, no. 5. pp. 84–87, 2008.
[40] A.-M. Horcher and G. P. Tejay, “Building a better password:
The role of cognitive load in information security training,”
Intelligence and Security Informatics, 2009. ISI ’09. IEEE
International Conference on. pp. 113–118, 2009.
[41] C. Herley, P. C. Oorschot, and A. Patrick, “Passwords: If
We’re So Smart, Why Are We Still Using Them?,” in in
Financial Cryptography and Data Security SE - 14, vol. 5628,
R. Dingledine and P. Golle, Eds. Springer Berlin Heidelberg,
2009, pp. 230–237.
[42] B. T. Kuhn and C. Garrison, “A Survey of Passwords from
2007 to 2009,” in 2009 Information Security Curriculum
Development Conference, 2009, pp. 91–94.
[43] D. Nelson and K.-P. Vu, “Effects of a Mnemonic Technique
on Subsequent Recall of Assigned and Self-generated
Passwords,” in in Human Interface and the Management of
Information. Designing Information Environments SE - 78,
vol. 5617, M. Smith and G. Salvendy, Eds. Springer Berlin
Heidelberg, 2009, pp. 693–701.
[44] M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password
Strength: An Empirical Analysis,” INFOCOM, 2010
Proceedings IEEE. pp. 1–9, 2010.
[45] W. Hu, X. Wu, and G. Wei, “The Security Analysis of
Graphical Passwords,” Communications and Intelligence
Information Security (ICCIIS), 2010 International Conference
on. pp. 200–203, 2010.
[46] L. Tam, M. Glassman, and M. Vandenwauver, “The
Psychology of Password Management: A Tradeoff Between
Security and Convenience,” Behav. Inf. Technol., vol. 29, no.
3, pp. 233–244, 2010.
[47] P. G. Inglesant and M. A. Sasse, “The True Cost of Unusable
Password Policies: Password Use in the Wild,” in
Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems, 2010, pp. 383–392.
[48] A. Moallem, “Did You Forget Your Password ?,” pp. 29–39,
2011.
[49] A. G. Voyiatzis, C. A. Fidas, D. N. Serpanos, and N. M.
Avouris, “An Empirical Study on the Web Password Strength
in Greece,” Informatics (PCI), 2011 15th Panhellenic
Conference on. pp. 212–216, 2011.
[50] E. Hayashi and J. Hong, “A Diary Study of Password Usage
in Daily Life,” in Proceedings of the SIGCHI Conference on
Human Factors in Computing Systems, 2011, pp. 2627–2630.
[51] K. Schaffer, “Are Password Requirements too Difficult?,”
Computer, vol. 44, no. 12. pp. 90–92, 2011.
[52] S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L.
Bauer, N. Christin, L. F. Cranor, and S. Egelman, “Of
Passwords and People: Measuring the Effect of Password-
composition Policies,” in Proceedings of the SIGCHI
Conference on Human Factors in Computing Systems, 2011,
pp. 2595–2604.
[53] P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T.
Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez,
1365
“Guess Again (and Again and Again): Measuring Password
Strength by Simulating Password-Cracking Algorithms,”
Security and Privacy (SP), 2012 IEEE Symposium on. pp.
523–537, 2012.
[54] K. Helkala, N. Svendsen, P. Thorsheim, and A. Wiehe,
“Cracking Associative Passwords,” in in Secure IT Systems
SE - 11, vol. 7617, A. Jøsang and B. Carlsson, Eds. Springer
Berlin Heidelberg, 2012, pp. 153–168.
[55] K. Helkala and N. Svendsen, “The Security and Memorability
of Passwords Generated by Using an Association Element and
a Personal Factor,” in in Information Security Technology for
Applications SE - 9, vol. 7161, P. Laud, Ed. Springer Berlin
Heidelberg, 2012, pp. 114–130.
[56] E. Zezschwitz, A. Luca, and H. Hussmann, “Survival of the
Shortest: A Retrospective Analysis of Influencing Factors on
Password Composition,” in in Human-Computer Interaction –
INTERACT 2013 SE - 28, vol. 8119, P. Kotzé, G. Marsden, G.
Lindgaard, J. Wesson, and M. Winckler, Eds. Springer Berlin
Heidelberg, 2013, pp. 460–467.
[57] B. Lorenz, K. Kikkas, and A. Klooster, “‘The Four Most-
Used Passwords Are Love, Sex, Secret, and God’: Password
Security and Training in Different User Groups,” in in Human
Aspects of Information Security, Privacy, and Trust SE - 29,
vol. 8030, L. Marinos and I. Askoxylakis, Eds. Springer
Berlin Heidelberg, 2013, pp. 276–283.
[58] L. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P.
McDaniel, and T. Jaeger, “Password Exhaustion: Predicting
the End of Password Usefulness,” in in Information Systems
Security SE - 3, vol. 4332, A. Bagchi and V. Atluri, Eds.
Springer Berlin Heidelberg, 2006, pp. 37–55.
[59] A. Adams and M. A. Sasse, “Users Are Not the Enemy,”
Commun. ACM, vol. 42, no. 12, pp. 40–46, Dec. 1999.
[60] M. A. Sasse, S. Brostoff, and D. Weirich, “Transforming the
‘Weakest Link’ — a Human/Computer Interaction Approach
to Usable and Effective Security,” BT Technology Journal,
vol. 19, no. 3, pp. 122–131, 2001.
[61] S. Vidyaraman, M. Chandrasekaran, and S. Upadhyaya,
“Position: The User is the Enemy,” in Proceedings of the
2007 Workshop on New Security Paradigms, 2008, pp. 75–80.
[62] C. A. Fidas, A. G. Voyiatzis, and N. M. Avouris, “When
Security Meets Usability: A User-Centric Approach on a
Crossroads Priority Problem,” Informatics (PCI), 2010 14th
Panhellenic Conference on. pp. 112–117, 2010.
[63] M. Adeka, S. Shepherd, and R. Abd-Alhameed, “Resolving
the password security purgatory in the contexts of technology,
security and human factors,” Computer Applications
Technology (ICCAT), 2013 International Conference on. pp.
1–7, 2013.
[64] D. Florêncio and C. Herley, “Where Do Security Policies
Come from?,” in Proceedings of the Sixth Symposium on
Usable Privacy and Security, 2010, pp. 10:1–10:14.
[65] K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L.
(Belin) Tai, J. Cook, and E. Eugene Schultz, “Improving
Password Security and Memorability to Protect Personal and
Organizational Information,” Int. J. Hum.-Comput. Stud., vol.
65, no. 8, pp. 744–757, 2007.
[66] B. Grawemeyer and H. Johnson, “Using and Managing
Multiple Passwords: A Week to a View,” Interact. Comput.,
vol. 23, no. 3, pp. 256–267, 2011.
[67] G. B. Duggan, H. Johnson, and B. Grawemeyer, “Rational
Security: Modelling Everyday Password Use,” Int. J. Hum.-
Comput. Stud., vol. 70, no. 6, pp. 415–431, 2012.
[68] S. Preibusch and J. Bonneau, “The Password Game: Negative
Externalities from Weak Password Practices,” in Decision and
Game Theory for Security SE - 13, vol. 6442, T. Alpcan, L.
Buttyán, and J. Baras, Eds. Springer Berlin Heidelberg, 2010,
pp. 192–207.
[69] M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek,
“Password Cracking Using Probabilistic Context-Free
Grammars,” Security and Privacy, 2009 30th IEEE
Symposium on. pp. 391–405, 2009.