A comparison of password management policies

Managing of passwords in information systems is a very important task, yet nothing seems to be learned from the recent stories. The consequences of bad password management practices have led to the loss of lives, as in the case of suicides after the “Ashley Madison leak”. Password security is simply not taken seriously, despite problems being known since 1979 at least. Interestingly, the PICMET conference on-line system itself implements a bad password management policy as all passwords are stored and re-sent upon request by plaintext email. The objective of this paper is to present the underlying mechanisms that lead to bad password management policies. Memorability and memory decay, complexity, simplicity and other factors are presented and analyzed. A novel password management policy “Psychopass” is proposed, where a password can be created, memorized and recalled by thinking of an action sequence (visual representation) instead of a string of characters. In the experiment it was shown that users tend to better remember passwords under the “Psychopass” policy compared to other password management policies nowadays in effect. The results confirm that “Psychopass” policy is an alternative to the existing password management practices and can improve the resilience to the attacks on information systems.