---

---

                                                                                        Figure 5. A sketch of the debates in password practice

This is a big project encouraged by some wonderful reviewers and of my personal interest: it will be useful for the community and industry. It may take 3 year or 5 years to finish. Currently, I am performing related research (e.g., my ESORICS'15 paper on password policies of 100+ leading sites, ACM CCS'16 paper on targeted online guessing threat, ACM ASIACCS'17 paper on human-chosen PINs and NDSS'18 paper on password storage) and collecting related materials (e.g., evidence for over 30+ debates from the literature).  Thanks for the great help from my team members. I am also grateful to many constructive feedbacks.

  
1. The problems in the current password policies

1.1. A quote from the famous writer Geoffrey A. Landis

 "It has to have upper case, lower case, special characters, and at least one numeral. Also, spaces aren't allowed. It's not enough to come up with *a* secure password. You have to come up with a secure password that follows the arcane rules, different for each site, and you have to change it every 90 days. Then you have to do this fifty more times, because you probably log into at least fifty sites and the worst thing you can do is re-use a password."
                                                             ||
                                                               \/
               High complexity + Not reuse + Frequent expiration  =   Not usable policy

1.2  What users actually do?

         circumvent high complexity + highly re-use + recycling/write down  =   common user practice              

            A user survey:  http://www.sojump.com/jq/6443561.aspx  (Chinese version)
                                      http://www.sojump.com/jq/7005139.aspx   (English version)
             So far, we have got 500+ effective responses. Thanks for your participation!

1.3 The current crux
Despite many pioneering works, there is still a lack of both theoretic and empirical academic exploration:
Threat models;
Risk analysis;
Basic metrics; 
Debates;
Fundamental issues; 
A whole picture about the password ecosystem......

1.3.1 Known results

Password strength metrics;
True strength of user passwords;
Password probability distribution function; 
Rational user;
Password reuse behavior; 
(dis)Advantages of password expiration;
Effects of specific password composition rule;
Effects of password strength meter;



1.3.1 Unknown results

User security budget; 
Risks on the server; 
Stochastic process of password evolution;


2. Evidence-grounded recommendations

2.1 Recommendations for password composition rules

2.2 Sensible algorithms for password strength meters

2.3 Source codes for password strength meters



Under constructing......


​