Investigating the Password Policy Practices of Website Administrators

Empirical grounding on web administrators' management of password policies and avenues for improvement.



Our peer-reviewed study was presented at the 2023 IEEE Symposium on Security and Privacy (SP)
Read the Paper
Main Findings

Security Concerns Drive Password Policy Decisions

We found that web administrators are highly influenced by security considerations when setting password policies. For example, many administrators enforce longer passwords and complex character requirements to enhance security. However, some administrators continue to use outdated practices, such as enforcing password expiration, despite modern guidelines recommending against it.

System Compatibility and Software Defaults Influence Policy Choices

We observed that the technical constraints of existing systems significantly impact password policies. Administrators often limit password length or character options based on the compatibility of their systems. Additionally, many administrators rely on default settings provided by software platforms, which can lead to the deployment of suboptimal security practices.

Usability Concerns Shape Password Requirements

Usability plays a crucial role in determining password policies. Administrators often avoid implementing overly complex requirements to prevent user frustration and password reset requests. This tension between usability and security results in policies that are often compromises rather than strictly secure.

Lack of Awareness and Education Leads to Suboptimal Policies

Many web administrators are unaware of or misunderstand modern password policy recommendations. This lack of awareness leads to the continued use of outdated or less secure practices, such as mandatory password changes or rigid complexity requirements.

Challenges in Updating Password Policies

Administrators face significant challenges when attempting to update password policies, including technical difficulties, resistance from users, and organizational constraints. The complexity of deploying new policies, particularly in large or sensitive systems, often results in administrators retaining older, less secure practices.

Methodology
  • Qualitative Approach: We employed a qualitative approach, combining online surveys and semi-structured interviews with 11 U.S.-based web administrators responsible for managing website password policies.
  • Survey and Interviews: We began with an online survey to collect demographic data and basic information about the participants' password policies. This was followed by in-depth interviews tailored to each participant's specific experiences, allowing for a detailed exploration of the rationale behind their policy choices.
  • Thematic Analysis: We used thematic analysis to code and analyze the interview data, identifying key themes related to influences on password policy decisions, challenges of updating policies, and adherence to or deviation from modern security guidelines.
  • Participant Recruitment: Participants were recruited through various channels, including social media and professional networks. The study adhered to strict ethical guidelines, ensuring participant anonymity and securing the data collected.