Skip to main content


Making passwords more secure and easier to remember


NSF-funded researchers in the NSF-funded Carnegie Mellon University Usable Privacy and Security Doctoral Training Program are conducting research to help make passwords more secure without driving users crazy. Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., including symbols and numbers) to guide users in creating passwords. Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. The Carnegie Mellon team, led by professors Lorrie Cranor, Lujo Bauer, and Nicolas Christin, conducted a large-scale study that investigates password strength, user behavior, and user sentiment across five password-composition policies. They statistically characterized the predictability of passwords and found that a number of commonly held beliefs about password composition and strength are inaccurate. They correlated their results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users. See “Of Passwords and People: Measuring the Effect of Password-Composition Policies” published at CHI 2011.

Address Goals

Research advances knowledge of how to create more secure and usable passwords, which is critical for computer security.