Abstract
Organizations worldwide are revisiting the design of their password policies. This is partly motivated by the security and usability limitations of user-generated passwords. While research on password policies has been ongoing, this has taken place in the Global North. Accordingly, little is known about the strengths and weaknesses of password policies deployed in the Global South, especially Africa. As such, this study researched password policies deployed on South African websites. Password policies of thirty frequently visited websites belonging to South African organizations were analyzed. Our observations show diverse password requirements. Even though the desire for strong passwords is the dominant motivator of complex password policies, South African organizations often adopt obsolete measures for attaining password security. The ten most common passwords in the literature were considered acceptable on most sites. In addition, some sites did not explicitly display password requirements and only a few sites adopted measures for providing real-time feedback and effective guidance during password generation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Florêncio, D., Herley, C.: Where do security policies come from? In: Proceedings of a Symposium on Usable Privacy and Security (SOUPS), pp. 1–14. ACM, Redmond (2010)
Grassi, P.A., Garcia, M.E., Fenton, J.L.: Digital Identity Guidelines. NIST Special Publication 800-63-3, pp. 1–62. NIST (2017)
Wang, D., Wang, P.: The emperor’s new password creation policies: In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 456–477. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_23
de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS, vol. 14, pp. 23–26 (2014)
AlFayyadh, B., Thorsheim, P., Jøsang, A., Klevjer, H.: Improving usability of password management with standardized password policies. In: Proceedings of the Seventh Conference on Network and Information Systems Security (SAR-SSI), pp. 7983–7999. Kolkata, India (2012)
Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 391–405. IEEE, Washington (2009)
Wheeler, D.L.: zxcvbn: Low-Budget Password Strength Estimation. In: Proceedings of the 25th USENIX Security Symposium. pp. 157–173. USENIX Association, Austin (2016)
Shay, R., et al.: A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In: Proceedings of the Human Computer Interaction (HCI) Conference, pp. 2903–2912. ACM, Seoul (2015)
Furnell, S.: Password practices on leading websites – revisited. Comput. Fraud Secur. 12, 5–11 (2014)
Furnell, S., Khern-am-nuai, W., Esmael, R., Yang, W., Li, N.: Enhancing security behaviour by supporting the user. Comput. Secur. 75, 1–9 (2018)
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of USENIX Security Symposium, pp. 65–80. USENIX, Bellevue (2012)
Yang, C., Hung, J.-L., Lin, Z.: An analysis view on password patterns of chinese internet users. Nankai Bus. Rev. Int. 4, 66–77 (2013)
Wang, D., Cheng, H., Gu, Q., Wang, P.: Understanding Passwords of Chinese Users: Characteristics, Security and Implications. CACR Report, China (2015)
Vance, A., Eargle, D., Ouimet, K., Straub, D.: Enhancing password security through interactive fear appeals: a web-based field experiment. In: Proceedings of the 46th Hawaii International Conference on System Sciences, pp. 2988–2997. IEEE, Wailea (2013)
Furnell, S., Esmael, R.: Evaluating the effect of guidance and feedback upon password compliance. Comput. Fraud Secur. 1, 5–10 (2017)
Althubaiti, S., Petrie, H.: Instructions for creating passwords: how do they help in password creation. In: Proceedings of the 31st British Computer Society Human Computer Interaction Conference, pp. 55–65. BCS Learning & Development Ltd, Sunderland (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Researched Sites, Password Policies and Accepted Passwords
Category | Password strength meter | Rule-based password policy | Minimum length limits | Character set | Blacklist | Deter personal data | SSO | Explicitly display password rules | Accepted passwords |
|---|---|---|---|---|---|---|---|---|---|
Bank site | No | Yes | 8 | ULNS | No | No | No | Yes | P@s$word5 |
Bank site | No | Yes | 8 | ULN | No | No | No | Yes | N/A |
Bank site | No | Yes | 8 | UN/ LN | No | No | No | Yes | N/A |
Betting site | No | Yes | 6 | UN/ LN | No | No | No | No | password123 |
Classified adverts | No | Yes | No | No | No | No | No | No | 1, we, pass |
Classified adverts | No | Yes | 7 | N/ L/S/U | No | No | No | Yes | 1234567 |
e-Commerce | Yes | N/A | N/A | N/A | No | No | No | Yes | P@55word |
e-Commerce | No | Yes | 5 | L/N/S/U | No | No | No | No | ilove |
e-Commerce | No | Yes | N/A | N/A | No | No | Yes | N/A | N/A |
e-Commerce | No | Yes | 8 | UN/LN | Yes | No | No | Yes | 111111p; p@55word; iloveyou1 |
e-Commerce | No | Yes | 6 | U/L/N/S | No | No | No | No | password |
E-Government | No | Yes | 6 | ULNS | No | No | No | Yes | N/A |
No | Yes | No | U/L/N/S | No | No | No | No | 12345 | |
Job vacancies | Yes | Yes | 6 | U/L/N/S | No | No | No | Yes | pa55word |
Job vacancies | No | Yes | No | U/L/N/S | No | No | No | No | pass |
Job vacancies | No | Yes | No | U/L/N/S | No | No | No | No | pass |
News site | No | Yes | N/A | N/A | No | No | Yes | N/A | N/A |
News site | No | Yes | 6 | U/L/N/S | No | No | No | No | password |
News site | No | Yes | 5 | U/L/N/S | No | No | No | No | passw |
News site | No | Yes | 8 | ULN | No | No | No | Yes | password1 |
Real estate | No | Yes | 6 | U/L/N/S | Yes | No | No | No | Pa$5word |
Real estate | No | Yes | 6 | U/L/N/S | No | No | No | Yes | password |
IT corporations | No | Yes | 8 | ULN | No | No | No | Yes | Password@1 |
IT corporations | No | Yes | 8 | ULN | No | No | No | Yes | Password1 |
TV services | Yes | N/A | N/A | N/A | Yes | No | No | Yes | Â |
TV services | No | Yes | 6 | U/L/N/S | No | No | Yes | No | password |
University | No | Yes | 6 | U/L/N/S | No | No | No | Yes | password |
University | No | Yes | 12 | ULNS | No | No | No | Yes | N/A |
University | No | Yes | 14 | U/L/N/S | Yes | Yes | No | Yes | N/A |
University | No | Yes | 8 | ULN/ UNS/LNS | No | No | No | Yes | password1# |
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Maoneke, P.B., Flowerday, S. (2019). Password Policies Adopted by South African Organizations: Influential Factors and Weaknesses. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds) Information Security. ISSA 2018. Communications in Computer and Information Science, vol 973. Springer, Cham. https://doi.org/10.1007/978-3-030-11407-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-11407-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-11406-0
Online ISBN: 978-3-030-11407-7
eBook Packages: Computer ScienceComputer Science (R0)