Stronger Password, Longer Lifetime: Studying UCL’s password policy

In October 2016, UCL's Information Services Division (ISD) implemented a new password policy to encourage users to choose stronger passwords. The policy links password lifetime (the time before the password expires) to password strength: The stronger the password, the longer the lifetime. We (Ingolf Becker, Simon Parkin and M. Angela Sasse) decided to collaborate with the Information Services Division to study the effect of this policy change, and the results were published at USENIX Security this week. We find that users appreciate the choice and respond to the policy by choosing stronger passwords when changing passwords. Even after 16 months the mean password lifetime at UCL continues to increase, yet stronger passwords also lead to more password resets.

The new policy

In the new policy, passwords with Shannon Information Entropy of 50 bits receive a lifetime of 100 days, and passwords with 120 bits receive a lifetime of 350 days: Password expiry by entropy Additionally, the new policy penalises the lifetime of passwords containing words from a large dictionary.

Users play the game

We analysed the password lifetime - what we will refer to from here on in as the 'password strength' - of all password change and reset events of all pseudonymised users at UCL. The following figure shows the mean password expiration of all users over time, smoothed by 31-day moving averages: Password expiration over time for all users and new users. A small drop in password strength was observed between November '16 and February '17, as users were moved on to and generally became accustomed to the new system; the kinds of passwords they would have been used to using were at that point not getting them as many days as before (hence the drop). After February '17, the mean strength increases from 145 days to 170 days in 12 months - an increase of 6.9 bits of entropy. This strongly suggests that users have generally adapted slowly to the new password policy, and eventually make use of the relatively new ability to increase password lifetime by expanding and strengthening their passwords. (more…)


RISCS2: Uncertainty and Complexity

On this second day of the May 2018 RISCS meeting, the focus moved to uncertainty. In a fast-changing environment it’s hard to know whether the decisions we make today will hold up in the future. “Prediction is difficult, especially about the future,” the Danish politician Karl Kristian Steincke wrote in Read more…


RISCS Community Meeting May 2018: Day Two

Day 2: Thursday 24th May 2018 Community Meeting Agenda (opens PDF) Morning session: Dealing with Uncertainty We began with some presentations on techniques for orienting ourselves in complex problem space before embarking on the workshop. RISCS Director Madeline Carr provided an overview of approaches dealing with uncertainty that are emerging from Read more…

By Emma Bowman, ago