Achievement

Little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We conducted a large-scale study that investigates password strength, user behavior, and user sentiment across five password-composition policies. We statistically characterized the predictability of passwords (i.e., entropy), and found that a number of commonly held beliefs about password composition and strength are inaccurate. We correlated our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users. See "Of Passwords and People: Measuring the Effect of Password-Composition Policies" published at CHI 2011.