Password Education Based on Guidelines Tailored to Different Password Categories

Abstract

General password policies do not guarantee that passwords fulfilling the requirement are good enough. The policies have a tendency to be too broad to be useful for all users. Different users have different designing processes based on what kind of passwords they most easily remember. Users are also often left to generate passwords on their own without any training. In our study we used new password creation guidelines when teaching students password security. We divided passwords into three password categories: Word password, Mixture password and Non-word password. For each category different password generation guidelines were taught to students. Students had access to the password quality measurement tool, which not only measured the strength of the password but also guided students in the generation process. Our goal is to measure the effect of education on the strength of a password and analyze recall rates of the passwords created by the new guidelines. It is shown that education had a positive effect and that passwords became stronger right after the education. The most important result is that a password structure got changed as the variation of structures increased and different structure types were more evenly distributed. However, after half a year without reminders or education repetition, most of the positive effect was lost. While password structures still differed, they had become less complex as participants had given up using special characters. Recall rates of the passwords generated with new guidelines are good.