Password strength analysis: User coping mechanisms in password selection

Brian Thomas Curnett, Purdue University


The security that passwords provide could be seriously flawed due to the way people cope with having to memorize and recall their passwords. The National Institute of Standards and Technology (NIST) standard that is used to measure the password strength, known as entropy, is designed for a single use and does not consider that users may choose to keep parts of their password across password changes. This study shows that a portion of users keep some information from previous passwords across changes. These habits which will be called coping mechanisms that over time serve to erode the protection provided by passwords past the minimum level of security provided by the password policy which can place both individuals and enterprises into danger. This is made even more apparent with data breaches become a common phenomenon in present day life serving to expose user’s password to the world. It was found that the minimum level of security can no longer be provided after one disclosure of passwords in the Comprehensive 8 password policy, and after two disclosures in passwords in the Blacklist Hard and Basic 16 policy. Coping mechanisms are most prevalent in password policies that have many requirements placed on users. The Comprehensive 8 policy showed the most coping followed by the Blacklist Hard and Basic 16 policies.




Dark, Purdue University.

Subject Area

Cognitive psychology|Information science|Computer science

Off-Campus Purdue Users:
To access this dissertation, please log in to our
proxy server