{"id":"https://openalex.org/W2346878720","doi":"https://doi.org/10.1145/2891411","title":"Designing Password Policies for Strength and Usability","display_name":"Designing Password Policies for Strength and Usability","publication_year":2016,"publication_date":"2016-05-06","ids":{"openalex":"https://openalex.org/W2346878720","doi":"https://doi.org/10.1145/2891411","mag":"2346878720"},"language":"en","primary_location":{"id":"doi:10.1145/2891411","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2891411","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2891411&type=pdf","source":{"id":"https://openalex.org/S2642811","display_name":"ACM Transactions on Information and System Security","issn_l":"1094-9224","issn":["1094-9224","1557-7406"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Information and System Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"bronze","oa_url":"http://dl.acm.org/ft_gateway.cfm?id=2891411&type=pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5077826909","display_name":"Richard Shay","orcid":"https://orcid.org/0000-0002-9437-9802"},"institutions":[{"id":"https://openalex.org/I4210122954","display_name":"MIT Lincoln Laboratory","ror":"https://ror.org/022z6jk58","country_code":"US","type":"facility","lineage":["https://openalex.org/I4210122954","https://openalex.org/I63966007"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Richard Shay","raw_affiliation_strings":["MIT Lincoln Laboratory\u2020"],"affiliations":[{"raw_affiliation_string":"MIT Lincoln Laboratory\u2020","institution_ids":["https://openalex.org/I4210122954"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048460404","display_name":"Saranga Komanduri","orcid":null},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Saranga Komanduri","raw_affiliation_strings":["Carnegie Mellon University"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078223652","display_name":"Adam L. Durity","orcid":null},"institutions":[{"id":"https://openalex.org/I1291425158","display_name":"Google (United States)","ror":"https://ror.org/00njsd438","country_code":"US","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210128969"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Adam L. Durity","raw_affiliation_strings":["Google\u2020"],"affiliations":[{"raw_affiliation_string":"Google\u2020","institution_ids":["https://openalex.org/I1291425158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5043748278","display_name":"Phillip Huh","orcid":null},"institutions":[{"id":"https://openalex.org/I142401562","display_name":"Electronics and Telecommunications Research Institute","ror":"https://ror.org/03ysstz10","country_code":"KR","type":"facility","lineage":["https://openalex.org/I142401562","https://openalex.org/I2801339556","https://openalex.org/I4210144908","https://openalex.org/I4387152098"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Phillip (Seyoung) Huh","raw_affiliation_strings":["Electronics and Telecommunications Research Institute (ETRI), Daejeon, South Korea"],"affiliations":[{"raw_affiliation_string":"Electronics and Telecommunications Research Institute (ETRI), Daejeon, South Korea","institution_ids":["https://openalex.org/I142401562"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5105206771","display_name":"Michelle L. Mazurek","orcid":"https://orcid.org/0000-0003-4151-6428"},"institutions":[{"id":"https://openalex.org/I66946132","display_name":"University of Maryland, College Park","ror":"https://ror.org/047s2c258","country_code":"US","type":"education","lineage":["https://openalex.org/I66946132"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Michelle L. Mazurek","raw_affiliation_strings":["University of Maryland, College Park, MD"],"affiliations":[{"raw_affiliation_string":"University of Maryland, College Park, MD","institution_ids":["https://openalex.org/I66946132"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5023095278","display_name":"Sean M. Segreti","orcid":null},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Sean M. Segreti","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, PA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, PA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071246801","display_name":"Blase Ur","orcid":"https://orcid.org/0000-0001-9365-3155"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Blase Ur","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, PA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, PA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002939847","display_name":"Lujo Bauer","orcid":"https://orcid.org/0000-0002-8209-6792"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lujo Bauer","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, PA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, PA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078075278","display_name":"Nicolas Christin","orcid":"https://orcid.org/0000-0002-2506-8031"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Nicolas Christin","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, PA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, PA","institution_ids":["https://openalex.org/I74973139"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5072760035","display_name":"Lorrie Faith Cranor","orcid":"https://orcid.org/0000-0003-2125-0124"},"institutions":[{"id":"https://openalex.org/I74973139","display_name":"Carnegie Mellon University","ror":"https://ror.org/05x2bcf33","country_code":"US","type":"education","lineage":["https://openalex.org/I74973139"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lorrie Faith Cranor","raw_affiliation_strings":["Carnegie Mellon University, Pittsburgh, PA"],"affiliations":[{"raw_affiliation_string":"Carnegie Mellon University, Pittsburgh, PA","institution_ids":["https://openalex.org/I74973139"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":10,"corresponding_author_ids":["https://openalex.org/A5077826909"],"corresponding_institution_ids":["https://openalex.org/I4210122954"],"apc_list":null,"apc_paid":null,"fwci":35.2182,"has_fulltext":true,"cited_by_count":130,"citation_normalized_percentile":{"value":0.99676093,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":"18","issue":"4","first_page":"1","last_page":"34"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9926999807357788,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9690999984741211,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.9494998455047607},{"id":"https://openalex.org/keywords/password-policy","display_name":"Password policy","score":0.857263445854187},{"id":"https://openalex.org/keywords/cognitive-password","display_name":"Cognitive password","score":0.7907544374465942},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.78253173828125},{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.6573870182037354},{"id":"https://openalex.org/keywords/password-strength","display_name":"Password strength","score":0.653086245059967},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6201816201210022},{"id":"https://openalex.org/keywords/usable","display_name":"USable","score":0.5509589314460754},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.521446168422699},{"id":"https://openalex.org/keywords/one-time-password","display_name":"One-time password","score":0.43273115158081055},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.34377986192703247},{"id":"https://openalex.org/keywords/human\u2013computer-interaction","display_name":"Human\u2013computer interaction","score":0.19735956192016602}],"concepts":[{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.9494998455047607},{"id":"https://openalex.org/C98705547","wikidata":"https://www.wikidata.org/wiki/Q3394687","display_name":"Password policy","level":4,"score":0.857263445854187},{"id":"https://openalex.org/C23875713","wikidata":"https://www.wikidata.org/wiki/Q5141232","display_name":"Cognitive password","level":5,"score":0.7907544374465942},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.78253173828125},{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.6573870182037354},{"id":"https://openalex.org/C70530487","wikidata":"https://www.wikidata.org/wiki/Q1990841","display_name":"Password strength","level":4,"score":0.653086245059967},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6201816201210022},{"id":"https://openalex.org/C2780615836","wikidata":"https://www.wikidata.org/wiki/Q2471869","display_name":"USable","level":2,"score":0.5509589314460754},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.521446168422699},{"id":"https://openalex.org/C89479133","wikidata":"https://www.wikidata.org/wiki/Q1137840","display_name":"One-time password","level":3,"score":0.43273115158081055},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.34377986192703247},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.19735956192016602}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2891411","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2891411","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2891411&type=pdf","source":{"id":"https://openalex.org/S2642811","display_name":"ACM Transactions on Information and System Security","issn_l":"1094-9224","issn":["1094-9224","1557-7406"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Information and System Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1145/2891411","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2891411","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2891411&type=pdf","source":{"id":"https://openalex.org/S2642811","display_name":"ACM Transactions on Information and System Security","issn_l":"1094-9224","issn":["1094-9224","1557-7406"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Information and System Security","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G205123881","display_name":null,"funder_award_id":"32 CFR 168a","funder_id":"https://openalex.org/F4320333566","funder_display_name":"National Defense Science and Engineering Graduate"},{"id":"https://openalex.org/G3631313543","display_name":null,"funder_award_id":"Fellowship","funder_id":"https://openalex.org/F4320308943","funder_display_name":"Microsoft Research"},{"id":"https://openalex.org/G6621079209","display_name":null,"funder_award_id":"NDSEG","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6894402473","display_name":null,"funder_award_id":"Fellowship","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7098812956","display_name":"IGERT: Usable Privacy and Security","funder_award_id":"0903659","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7194801777","display_name":"TC: Small: An Empirical Study of Text-based Passwords and Their Users","funder_award_id":"1116776","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7247753775","display_name":null,"funder_award_id":"DGE-0903659","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7791925507","display_name":null,"funder_award_id":"CFR 168a","funder_id":"https://openalex.org/F4320333566","funder_display_name":"National Defense Science and Engineering Graduate"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8926491534","display_name":null,"funder_award_id":"Fellowship","funder_id":"https://openalex.org/F4320333566","funder_display_name":"National Defense Science and Engineering Graduate"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320308943","display_name":"Microsoft Research","ror":"https://ror.org/00d0nc645"},{"id":"https://openalex.org/F4320333566","display_name":"National Defense Science and Engineering Graduate","ror":null}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2346878720.pdf","grobid_xml":"https://content.openalex.org/works/W2346878720.grobid-xml"},"referenced_works_count":49,"referenced_works":["https://openalex.org/W143386018","https://openalex.org/W150647875","https://openalex.org/W1267153886","https://openalex.org/W1463944966","https://openalex.org/W1466389411","https://openalex.org/W1516750986","https://openalex.org/W1526940914","https://openalex.org/W1534968492","https://openalex.org/W1551931061","https://openalex.org/W1591302859","https://openalex.org/W1971295515","https://openalex.org/W1980235022","https://openalex.org/W1987516957","https://openalex.org/W2007488200","https://openalex.org/W2014833947","https://openalex.org/W2019578814","https://openalex.org/W2022580268","https://openalex.org/W2023306951","https://openalex.org/W2030112111","https://openalex.org/W2039031286","https://openalex.org/W2045591401","https://openalex.org/W2048755632","https://openalex.org/W2053030258","https://openalex.org/W2054626033","https://openalex.org/W2056711010","https://openalex.org/W2073342447","https://openalex.org/W2093397575","https://openalex.org/W2097267243","https://openalex.org/W2111397260","https://openalex.org/W2113266120","https://openalex.org/W2119545418","https://openalex.org/W2123544182","https://openalex.org/W2124715582","https://openalex.org/W2127171880","https://openalex.org/W2132903355","https://openalex.org/W2133824719","https://openalex.org/W2135359429","https://openalex.org/W2146270836","https://openalex.org/W2150341374","https://openalex.org/W2155873597","https://openalex.org/W2157151879","https://openalex.org/W2163006719","https://openalex.org/W2167841977","https://openalex.org/W2171920515","https://openalex.org/W2361580210","https://openalex.org/W2404167293","https://openalex.org/W2406775074","https://openalex.org/W2683619959","https://openalex.org/W4298423176"],"related_works":["https://openalex.org/W2969720675","https://openalex.org/W2359085393","https://openalex.org/W2021087413","https://openalex.org/W2936467198","https://openalex.org/W2156083280","https://openalex.org/W2182949018","https://openalex.org/W4214849386","https://openalex.org/W72859687","https://openalex.org/W2911945468","https://openalex.org/W2953105088"],"abstract_inverted_index":{"Password-composition":[0],"policies":[1,18,116,150,163,175],"are":[2,145,165],"the":[3,12,20,111],"result":[4],"of":[5,14,22,90,115],"service":[6,189],"providers":[7,190],"becoming":[8],"increasingly":[9],"concerned":[10],"about":[11],"security":[13],"online":[15,123],"accounts.":[16],"These":[17],"restrict":[19],"space":[21],"user-created":[23],"passwords":[24,29,33,49,59,155],"to":[25,38,44,60,82,153,195],"preclude":[26],"easily":[27],"guessed":[28],"and":[30,46,70,129,133,142,169],"thus":[31],"make":[32],"more":[34,167,170],"difficult":[35],"for":[36,54,188],"attackers":[37],"guess.":[39],"However,":[40],"many":[41,101],"users":[42,194],"struggle":[43],"create":[45],"recall":[47],"their":[48,193],"under":[50],"strict":[51],"password-composition":[52],"policies,":[53,100],"example,":[55],"ones":[56],"that":[57,77,139,151,164,176],"require":[58],"have":[61,196],"at":[62],"least":[63],"eight":[64],"characters":[65],"with":[66,125],"multiple":[67],"character":[68],"classes":[69],"a":[71,78],"dictionary":[72],"check.":[73],"Recent":[74],"research":[75],"showed":[76],"promising":[79],"alternative":[80],"was":[81],"focus":[83],"policy":[84],"requirements":[85],"on":[86,91,103],"password":[87,99,140,143],"length":[88,104,181],"instead":[89],"complexity.":[92],"In":[93,106],"this":[94],"work,":[95],"we":[96,109],"examine":[97],"15":[98],"focusing":[102],"requirements.":[105,182],"doing":[107],"so,":[108],"contribute":[110],"first":[112],"thorough":[113],"examination":[114],"requiring":[117],"longer":[118],"passwords.":[119,200],"We":[120,161,183],"conducted":[121],"two":[122],"studies":[124],"over":[126],"20,000":[127],"participants,":[128],"collected":[130],"both":[131,166],"usability":[132,144],"password-strength":[134],"data.":[135],"Our":[136],"findings":[137],"indicate":[138],"strength":[141],"not":[146,157],"necessarily":[147],"inversely":[148],"correlated:":[149],"lead":[152],"stronger":[154],"do":[156],"always":[158],"reduce":[159],"usability.":[160],"identify":[162],"usable":[168,199],"secure":[171],"than":[172,180],"commonly":[173],"used":[174],"emphasize":[177],"complexity":[178],"rather":[179],"also":[184],"provide":[185],"practical":[186],"recommendations":[187],"who":[191],"want":[192],"strong":[197],"yet":[198]},"counts_by_year":[{"year":2026,"cited_by_count":3},{"year":2025,"cited_by_count":17},{"year":2024,"cited_by_count":11},{"year":2023,"cited_by_count":9},{"year":2022,"cited_by_count":11},{"year":2021,"cited_by_count":15},{"year":2020,"cited_by_count":11},{"year":2019,"cited_by_count":19},{"year":2018,"cited_by_count":16},{"year":2017,"cited_by_count":14},{"year":2016,"cited_by_count":2},{"year":2015,"cited_by_count":1}],"updated_date":"2026-04-14T08:04:32.555800","created_date":"2025-10-10T00:00:00"}