TL;DR
This paper analyzes the diversity and contradictions in password advice from various sources, highlighting the inconsistencies and costs associated with implementing such advice, which may explain why it is often ignored.
Contribution
It provides a systematic analysis of password advice diversity and introduces a framework to assess the costs of implementing different password recommendations.
Findings
Password advice varies significantly across organizations.
Contradictions exist between different password guidelines.
Implementing diverse advice incurs notable costs.
Abstract
Password advice is constantly circulated by standards agencies, companies, websites and specialists. But there appears to be great diversity in terms of the advice that is given. Users have noticed that different websites are enforcing different restrictions. For example, requiring different combinations of uppercase and lowercase letters, numbers and special characters. We collected password advice and found that the advice distributed by one organization can directly contradict advice given by another. Our paper aims to illuminate interesting characteristics for a sample of the password advice distributed. We also create a framework for identifying the costs associated with implementing password advice. In doing so we identify a reason for why password advice is often both derided and ignored.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.