May 7, 2021

Complex passwords aren't always best

by James Cook University

Complex passwords aren't always best
Credit: Dan Nelson, Unsplash

Research from James Cook University shows increasingly complex website password restrictions often leave users frustrated and lead to poor password security.

Associate Professor Roberto Dillon investigated how react to increasingly complex password requirements and whether those rules compromise password security.

"Our results confirm that the tougher the constraints of creating the the safer users feel with their information," he said. "However, the results show that a large number of restrictions can frustrate users."

Dr. Dillon said this frustration led to 75% of participants using strategies to remember their passwords, including strategies that compromise their security.

"The most popular was using the same password for multiple sites," he said.

Dr. Dillon and his team conducted a survey where users were asked to create a password following an increasing number of restrictions, ranging from "passwords must contain at least eight characters" to "passwords must be different from the latest five passwords."

Participants were also asked if they used any strategies to remember their passwords, as well as the situations where they would be tempted to use those strategies.

"Websites often require passwords that include a combination of special characters, numbers, upper- and lower-case letters, and more," he said. "This makes passwords less likely to be compromised by hackers, but harder for users to invent a password and to remember it."

While measures such as password managers and two-factor authentication protocols offer solutions to password management and securing privacy, Dr. Dillon said they still suffer from usability issues and demonstrate inconvenience to users.

He suggests a better approach was to ask users to create a long but meaningful password phrase.

"This is easy to remember but long enough to hinder brute-force hacking attacks," he said. "At the same time, providers should avoid adding several restrictions as it makes it more likely for users to resort to workarounds that compromise ."

More information: Roberto Dillon et al. Password Policies vs. Usability: When Do Users Go "Bananas"?, 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2021). DOI: 10.1109/TrustCom50675.2020.00032

Provided by James Cook University
Citation: Complex passwords aren't always best (2021, May 7) retrieved 19 April 2024 from https://techxplore.com/news/2021-05-complex-passwords.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Bypassing popular passwords
55 shares

Feedback to editors
Bitcoin's next 'halving' is right around the corner. Here's what you need to know

24 minutes ago
Team develops a way to teach a computer to type like a human

11 hours ago
Universal 'cocktail electrolyte' developed for 4.6 V ultra-stable fast charging of commercial lithium-ion batteries

11 hours ago
Garbage could replace a quarter of petroleum-based jet fuel every year

12 hours ago
For more open and equitable public discussions on social media, try 'meronymity'

14 hours ago
Mess is best: Disordered structure of battery-like devices improves performance

14 hours ago
Meta's newest AI model beats some peers. But its amped-up AI agents are confusing Facebook users

15 hours ago
An ink for 3D-printing flexible devices without mechanical joints

15 hours ago
Floating solar's potential to support sustainable development

15 hours ago
Harvesting vibrational energy from 'colored noise'

16 hours ago
Load comments (1)