Evaluating Password Advice
This work addresses usability and security issues for users and organizations by highlighting inefficiencies in password policy dissemination.
The paper tackles the problem of inconsistent and contradictory password advice from various organizations, finding that such advice often conflicts and leads to user confusion and non-compliance.
Password advice is constantly circulated by standards agencies, companies, websites and specialists. But there appears to be great diversity in terms of the advice that is given. Users have noticed that different websites are enforcing different restrictions. For example, requiring different combinations of uppercase and lowercase letters, numbers and special characters. We collected password advice and found that the advice distributed by one organization can directly contradict advice given by another. Our paper aims to illuminate interesting characteristics for a sample of the password advice distributed. We also create a framework for identifying the costs associated with implementing password advice. In doing so we identify a reason for why password advice is often both derided and ignored.