Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition

  • Emanuel von Zezschwitz
  • Alexander De Luca
  • Heinrich Hussmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8119)


In this paper, we investigate the evolutionary change of user-selected passwords. We conducted one-on-one interviews and analyzed the complexity and the diversity of users’ passwords using different analysis tools. By comparing their first-ever created passwords to several of their currently used passwords (e.g. most secure, policy-based), we were able to trace password reuse, password changes and influencing factors on the evolutionary process. Our approach allowed for analyzing security aspects without actually knowing the clear-text passwords. The results reveal that currently used passwords are significantly longer than the participants’ first passwords and that most participants are aware of how to compose strong passwords. However, most users are still using significantly weaker passwords for most services. These weak passwords, often with roots in the very first passwords the users have chosen, apparently survive very well, despite password policies and password meters.


password evolution security policy survey human factor 


  1. 1.
    Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Proc. HCI 1997, pp. 1–19. Springer, London (1997)Google Scholar
  2. 2.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42, 40–46 (1999)CrossRefGoogle Scholar
  3. 3.
    Riley, S.: Password Security: What Users Know and What They Actually Do. Usability News 8, 1 (2006)Google Scholar
  4. 4.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Proc. SOUPS 2010, pp. 2:1–2:20. ACM, New York (2010)Google Scholar
  5. 5.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: measuring the effect of password-composition policies. In: Proc. CHI 2011, pp. 2595–2604. ACM, New York (2011)Google Scholar
  6. 6.
    Proctor, R., Lien, M.-C., Vu, K.-P., Schultz, E., Salvendy, G.: Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods 34, 163–169 (2002)CrossRefGoogle Scholar
  7. 7.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. CCS 2010, pp. 162–175. ACM, New York (2010)Google Scholar
  8. 8.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proc. SP 2012, pp. 538–552. IEEE Computer Society, Washington, DC (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Emanuel von Zezschwitz
    • 1
  • Alexander De Luca
    • 1
  • Heinrich Hussmann
    • 1
  1. 1.Media Informatics GroupUniversity of Munich (LMU)MunichGermany

Personalised recommendations