Improving Password Generation Through the Design of a Password Composition Policy Description Language

Anuj Gautam, Shan Lalani, and Scott Ruoti

Password managers help users more effectively manage their passwords, yet the adoption of password generation is minimal. One explanation for this problem is that websites' password composition policies (PCPs) can reject generated passwords, creating a usability impediment. To address this issue, we design a PCP language that websites use to describe their PCP and that managers use to generate compliant passwords. We develop this language using an iterative process involving an extensive collection of PCPs scraped from the Web. We provide libraries for adopting our PCP language into websites and password managers and build proof-of-concept prototypes to verify the real-world feasibility of our PCP language. Using a 25-person user study, we demonstrate that our language and libraries are easy to pick up and correctly use for novice developers. Finally, we replicate and extend past research evaluating Web PCPs, showing that half of PCPs fail to require passwords that resist offline attacks when considering that users prefer certain character classes when selecting their passwords.

Anuj Gautam, Shan Lalani, and Scott Ruoti. 2022. Improving password generation through the design of a password composition policy description language. In Proceedings of the 18th Symposium on Usable Privacy and Security. USENIX.