Analysis of User Response to Complexity in Password Composition Policies in U.S. Healthcare Organization

Password policies often lead users to creating passwords that are not effective at resisting dictionary attacks. When passwords are ineffective at resisting attack, a vector---an opportunity for unauthorized access---is created through which malicious actions may be taken against the digital resources. The purpose of this quasi experimental study of U.S. healthcare employees was to identify whether the number of password composition requirements has a negative effect on the cryptographic strength of user generated passwords. Within the framework of protection motivation theory, users may perceive complexity as a fear appeal. In this study, self generated passwords created in response to four conditions of complexity were evaluated for their mean Levenshtein edit distance to a list of known passwords. The variance in the mean distances was evaluated using ANOVA to determine any effect. A consistent positive relationship between the complexity of password policies and the cryptographic strength of self generated passwords was observed. This study demonstrated that the complexity of password requirements does not always result in users' creating passwords that are cryptographically weaker. Although the common problem of fearing forgetting passwords may encourage users to take inappropriate actions, this fear of forgetting passwords may not be exacerbated by increased policy complexity. In order to address the challenge of users' creating similar passwords, future studies may address the use of prefixes or suffixes and analyze the similarity in textual content of the self generated passwords across the multiple conditions.