Password Policy Languages: Usable Translation from the Informal to the Formal

  • Michelle StevesEmail author
  • Mary Theofanos
  • Celia Paulsen
  • Athos Ribeiro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Password policies – documents which regulate how users must create, manage, and change their passwords – can have complex and unforeseen consequences on organizational security. Since these policies regulate user behavior, users must be clear as to what is expected of them. Unfortunately, current policies are written in language that is often ambiguous. To tackle ambiguity, we previously developed a formal language for stating what behavior is and is not allowed regarding password management. Unfortunately, manual translation of the policy to this formal language is time consuming and error prone. This work focuses on providing an interface for policy users to generate accurate models of their interpretations of a password policy. This will aid password policy research, formalization, and ultimately more usable password policies. This paper describes the requirements, design, high-level application features, application validation, user testing, and includes a discussion of how this work is expected to progress.


Usable security Password policy Question-answer system Policy workbench Formal language XML 



The authors would like to acknowledge the contributions by James Foti, at the National Institution of Standards and Technology, for his work on the draft question-answer set used during validation of the application. His use of plain language in the text of the questions and answers helped differentiate concerns about the application from concerns about the wording of questions and answers during an early phase of the application’s validation. Additionally, the authors would like to acknowledge the contributions of Susanne Furman, also at the National Institute of Standards and Technology, for her contributions to enhance the usability of the application, both during review of the initial design and usability testing.


  1. 1.
    Killourhy, K., Choong, Y., Theofanos, M.: Taxonomic rules for password policies: translating the informal to the formal language. Internal report 7970, National Institute of Standards and Technology, Gaithersburg, Maryland (2013)Google Scholar
  2. 2.
    Michael, J.B., Ong, V.L., Rowe, N.C.: Natural-language processing support for developing policy-governed software systems. In: 39th IEEE International Conference and Exhibition on Technology of Object-Oriented Languages and Systems, pp. 263–274. IEEE Press, New York (2001)Google Scholar
  3. 3.
    Brodie, C., Karat, C.M., Karat, J., Feng, J.: Usable security and privacy: a case study of developing privacy management tools. In: ACM 2005 Symposium on Usable Privacy and Security, pp. 35–43. ACM Press, New York (2005)Google Scholar
  4. 4.
    Brodie, C.A., Karat, C.M., Karat, J.: An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench. In: ACM 2006 Symposium on Usable Privacy and Security, pp. 8–19. ACM Press, New York (2006)Google Scholar
  5. 5.
    Karat, C.M., Karat, J., Brodie, C., Feng, J.: Evaluating interfaces for privacy policy rule authoring. In: ACM 2006 SIGCHI Conference on Human Factors in Computing Systems, pp. 83–92. ACM Press, New York (2006)Google Scholar
  6. 6.
    Breaux, T.D., Antón, A.I.: Deriving semantic models from privacy policies. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 67–76. IEEE Press, New York (2005)Google Scholar
  7. 7.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 94–597 (1979). ACM Press, New YorkCrossRefGoogle Scholar
  8. 8.
    Klein, D.V.: Foiling the cracker: a survey of, and improvements to, password security. In: 2nd USENIX Security Workshop, pp. 5–14. USENIX, Berkeley (1990)Google Scholar
  9. 9.
    Wu, T. D.: A real-world analysis of kerberos password security. In: 1999 Network and Distributed Systems and Security Symposium. Internet Society (1999)Google Scholar
  10. 10.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: 16th ACM International Conference on World Wide Web, pp. 657–666. ACM Press, New York, (2007)Google Scholar
  11. 11.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: 30th IEEE INFOCOM, pp. 1–9. IEEE Press, New York (2010)Google Scholar
  12. 12.
    Mannan, M., van Oorschot, P.C.: Security and usability: the gap in real-world online banking. In: 2007 ACM Workshop on New Security Paradigms, pp. 1–14. ACM Press, New York (2008)Google Scholar
  13. 13.
    Furnell, S.: An assessment of website password practices. Comput. Secur. 26(7), 445–451 (2007). Elsevier, AmsterdamCrossRefGoogle Scholar
  14. 14.
    Inglesant, P. G., Sasse, M. A.: The true cost of unusable password policies: password use in the wild. In: SIGCHI 2010 Conference on Human Factors in Computing Systems, pp. 383–392. ACM Press, New York (2010)Google Scholar
  15. 15.
    Choong, Y.Y., Theofanos, M., Liu, H.K.: United States Federal Employees Password Management Behaviors a Department of Commerce Case Study. Internal report 7991, National Institute of Standards and Technology, Gaithersburg, Maryland (2014)Google Scholar
  16. 16.
    Summers, W. C., Bosworth, E:. Password policy: the good, the bad, and the ugly. In: WISICT 2004, Winter International Symposium on Information and Communication Technologies, pp. 1–6. Trinity College, Dublin (2004)Google Scholar
  17. 17.
    Spafford, E: Security Myths and Passwords. In: CERIAS Blog, 19 April 2006. Accessed Feb 2015
  18. 18.
    Farrell, S.: Password policy purgatory. IEEE Internet Comput. 12(5), 84–87 (2008)CrossRefGoogle Scholar
  19. 19.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: 9th Workshop on the Economics of Information Security (2010). Accessed Feb 2015
  20. 20.
    Florêncio, D., Herley, C.: Where do security policies come from? In: 6th ACM Symposium on Usable Privacy and Security, article 10. ACM Press, New York. (2010)Google Scholar
  21. 21.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: 2011 SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM Press, New York (2011)Google Scholar
  22. 22.
    Xu, W., Shehab, M., Ahn, G.J.: Visualization based policy analysis: case study in Selinux. In: 13th ACM Symposium on Access Control Models and Technologies, pp. 165–174. ACM Press, New York (2008)Google Scholar
  23. 23.
    Johnson, M., Karat, J., Karat, C.M., Grueneberg, K.: Optimizing a policy authoring framework for security and privacy policies. In: 6th ACM Symposium on Usable Privacy and Security, article 8. ACM Press, New York (2010)Google Scholar
  24. 24.
    AlFayyadh, B., Thorsheim, P., Jøsang, A., Klevjer, H.: Improving usability of password management with standardized password policies. In: 7eme Conférence sur la Sécurité des Architectures Réseaux et Systemes d’Information, 7th Conference on Network and Information Systems Security, SAR SSI 2012. Accessed Feb 2015
  25. 25.
    Shay, R., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: 2007 ACM Workshop on Digital Identity Management, pp. 1–10. ACM Press, New York (2007)Google Scholar
  26. 26.
    Parkin, S.E., van Moorsel, A., Coles, R.: An Information security ontology incorporating human-behavioural implications. In: 2nd International Conference on Security of Information and Networks, pp. 46–55. ACM Press, New York (2009)Google Scholar
  27. 27.
    What is plain language? Accessed on Feb 2015

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Michelle Steves
    • 1
    Email author
  • Mary Theofanos
    • 1
  • Celia Paulsen
    • 1
  • Athos Ribeiro
    • 2
  1. 1.National Institute of Standards and TechnologyGaithersburgUSA
  2. 2.Universidale de BrasiliaBrasiliaBrazil

Personalised recommendations