Password Policy Effects on Entropy and Recall: Research in Progress

Passwords are commonly used for authentication. System architects generally put in place password policies that define the required length of a password, the complexity requirements of the password, and the expiration (if ever) of the password. Password policies are designed with the intent of helping users choose secure passwords, and in the case of password expiration, limit the potential damage of a compromised password. However, password policies can have unintended consequences that could potentially undermine their security aims. Based on the theory of cognitive load, it is hypothesized that password policy elements increase extraneous load, which can result in high entropy passwords, but to the detriment of recall. It is further hypothesized that certain password policy elements can still help increase entropy, while minimizing the negative impact on recall. An experiment to test the hypotheses and determine both a secure and user friendly password policy is put forward.