A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016

Author Peter Mayer, Jan Kirchner, Melanie Volkamer
Date July 2017
Kind Inproceedings
Book titleThirteenth Symposium on Usable Privacy and Security
Research Areas SECUSO - Security, Usability and Society, CYSEC
Abstract In this paper, we present a replication of the study performed by Florêncio and Herley published at SOUPS 2010, who investigated a sample of US websites regarding different website features' effects on the strength of the website's password composition policy (PCP). Using the same methodology as in the original study, we re-investigated the sample of US websites to identify differences over time. Additionally, we investigated a corresponding sample of German websites to identify di fferences across countries. Our findings indicate that while the website features mostly retain their predicting power for the US sample, only one feature affecting PCP strength translates to the German sample: whether users can choose among multiple alternative websites providing the same service. Also, German websites generally use weaker PCPs on average and, in particular, PCPs of German banking websites stand out for having on average low strength PCPs.
