Password security — No change in 35 years?

Abstract

Textual passwords were first identified as a weak point in information system's security by Morris and Thompson in 1979. They found that 86% of the passwords were weak: being too short, containing lowercase letters only, digits only or a combination of the two, being easily found in dictionaries. OBJECTIVE: Despite the importance of passwords as the first line of defense in most information systems, little attention has been given to the characteristics of their actual use. Thus, the objective of this paper is to identify any problems that may arise in creating and using textual passwords. METHOD: A systematic literature review of studies in the area of password use and password security. Our research is restricted to articles in journals and conference papers written in English and published between 1979 and 2014. The search is conducted through IEEEXplore, ScienceDirect, Springer Link and ACM Digital Library. RESULTS: The computer community has not made a very much-needed shift in password management for more than 35 years. Users and their passwords are still considered the main weakness in any password system, because users often choose easily guessable passwords: words, names, birthdates, etc., because they are easy to remember. CONCLUSION: Password policies and password checkers can help users create strong and easy-to-remember passwords. This work will serve as a starting point for our further research in this area where we want to determine whether these password policies are useful to the users, and whether the users can easily apply them.