The science on password security vs usability

Researchers at Carnegie Mellon University’s CyLab Security and Privacy Institute have developed a science-based policy for creating passwords that balances security and usability.

In their work, the researchers verified what most users already knew: Including upper case letters, digits and symbols has a negative impact on usability. Surprisingly, the team also found those kinds of requirements don’t increase password strength as much as others, said CyLab Director Lorrie Cranor, who is also a professor in the Institute for Software Research and the department of Engineering and Public Policy.

In a paper providing practical recommendations for better passwords, the team demonstrated that minimum-strength and minimum-length requirements are sufficient even for high-value user accounts, that blocking the use of certain passwords is not as effective as often assumed unless carefully configured and that forcing users to include special characters “may provide very little improvement and may even reduce effective security.”

Rather than incorporating numbers and symbols, passwords just need to be 12 characters long – if they can pass a real-time strength test the researchers developed in 2016. The neural-network-powered password-strength meter gives users a password-security score and offers suggestions and explanations in real-time for creating a stronger password.

Through online experiments, the researchers evaluated the security and usability of different combinations of minimum-length requirements, character-class requirements, minimum-strength requirements and password blocklists. They asked participants to create and recall passwords under random password policies and found that requiring both a minimum strength and a minimum length of 12 characters created a good balance between security and usability.

“Although blocklist and minimum-strength policies can produce similar results,” university officials said, “minimum-strength policies [can be] flexibly configured to a desired security level, and they are easier to deploy alongside real-time requirements feedback in high-security settings.

The paper will be presented at the November ACM Conference on Computer and Communications Security, which will be held virtually.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected