The password thicket:
technical and market failures in human authentication on the web
Joseph Bonneau
Computer Laboratory
University of Cambridge
jcb82@cl.cam.ac.uk
Sören Preibusch
Computer Laboratory
University of Cambridge
sdp36@cl.cam.ac.uk
The Ninth Workshop on the Economics of Information Security (WEIS 2010)
Please email the authors for comments, inquiries, or suggestions for additions.
Downloads:
Selected press coverage:
-
Elizabeth Heichler, IDG News,
PCWorld:
Researchers: Poor Password Practices Hurt Security for All,
7 June 2010
also at NYTimes.com
-
Tom Espiner, ZDNet UK,
ZDNet UK:
Poor password standards hit web, say researchers,
8 June 2010
-
Sue Marquette Poremba,
IT Business Edge:
Have Passwords Outlived Their Usefulness?,
8 June 2010
-
Mathew J. Schwartz,
InformationWeek:
Passwords' Value Lie In Psychology, Not Security,
9 June 2010
-
Jason Morton,
Rackspace:
Password security measures inadequate, say researchers,
9 June 2010
-
Christiane Pütter,
CIO.de:
Einfachste Maßnahmen ignoriert. Passwort-Schutz Fehlanzeige,
16 July 2010
-
Bruce Schneier,
Schneier on Security:
Economic Considerations of Website Password Policies,
20 July 2010
-
Mark Ward,
See Also: Tech Brief:
Tech Brief,
30 July 2010
-
Alex,
KeepItLocked.net:
Password Reset Survey,
30 July 2010
-
HaeB and Jarry1250,
Wikipedia Signpost:
Study of web passwords includes Wikipedia,
2 August 2010
-
John Leyden,
The Register:
Short passwords 'hopelessly inadequate', say boffins,
16 August 2010
-
Anna Slomovic,
Anakam Blog:
Password Policies and Identity Security,
23 August 2010
Notes on dataset
2010-08-01:
To reconstruct the password score in the Excel sheet, you may use the following formula:
=MIN(BZ10-SUM(BS10:BU10)-BO10+BI10+BH10+BG10-BE10+IF(AV10>1,1,0)+AX10+MAX(AY10:AZ10)+AN10+IF(AL10="Enrolment, Log-in, Change",0,1)+AG10+AH10+MAX(AA10:AB10)+3,10)
back to publications