Password Security in Practice:
An Analysis of Human Password Behaviour
Against Breach Datasets

Background

Password authentication was formalised as a computer security mechanism in the 1960s, with its persistence attributable as much to institutional inertia as to technical merit [1]. Despite the emergence of multi-factor authentication, hardware tokens, and biometric alternatives, password-only authentication remains the default configuration for the vast majority of consumer-facing systems. The National Institute of Standards and Technology (NIST) Special Publication 800-63B acknowledges this reality, focusing its recommendations not on eliminating passwords but on mitigating their worst failure modes: enforcing length floors, prohibiting composition complexity requirements, eliminating mandatory periodic rotation, and maintaining blocklists of known compromised credentials [2]. This policy evolution reflects a broader recognition that technical mandates divorced from human behavioural constraints produce counterproductive outcomes.

Empirical studies consistently demonstrate that users, when unconstrained by policy, converge on a narrow subset of credential structures. Analyses of large-scale breached credential corpora reveal that a disproportionate share of accounts — often exceeding thirty percent — can be compromised by attempting fewer than one hundred candidate passwords per account [3]. This concentration is not attributable to user negligence; it reflects rational adaptation to an environment that imposes high authentication frequency with limited cognitive bandwidth. The tendency to select passwords based on keyboard proximity, sequential patterns, or culturally salient words (names, sports teams, expletives) is well-documented across demographic groups and persists even when users are aware that such patterns are insecure. Password reuse across services further compounds this exposure: a credential validated against one breach corpus provides probabilistic coverage across multiple target systems, enabling credential-stuffing attacks at industrial scale.

Related Work

2.1 Users Are Not the Enemy — Adams & Sasse (1999)

Adams and Sasse [4] challenged the prevailing assumption that weak password selection reflects user ignorance or indifference, presenting empirical evidence from workplace environments that revealed a fundamental mismatch between security policy design and the cognitive demands placed on users. Their participants routinely circumvented password policies — writing passwords down, reusing credentials across systems, selecting minimal-complexity tokens — not from malice but from the impossibility of maintaining distinct, complex credentials across multiple systems without external memory aids. The paper introduced the concept of the security-usability trade-off as a structural property of authentication systems, arguing that enforcing complexity requirements without addressing cognitive load would systematically produce insecure outcomes. This framing fundamentally reoriented password security research toward sociotechnical rather than purely technical explanations, and its central argument — that system designers, not users, are responsible for the conditions that produce insecurity — remains the cornerstone of human-centred security practice.

2.2 The Quest to Replace Passwords — Bonneau et al. (2012)

Bonneau et al. [5] conducted a systematic comparative analysis of thirty-five proposed password-replacement schemes, evaluating each against a unified framework of deployability, usability, and security properties. Their analysis formalised the concept of guessing entropy as a measure of password-set strength, distinguishing between the theoretical entropy of a uniformly distributed credential space and the effective entropy available to an attacker who exploits the distributional skew inherent in user-chosen passwords. A central finding was that user-chosen passwords consistently exhibit dramatically lower effective entropy than their theoretical maximum, due to the heavy concentration of choices around culturally predictable patterns. The paper established that no proposed replacement mechanism simultaneously excels across all three evaluation dimensions — a result that explains the continued dominance of passwords in deployed systems and the difficulty of transitioning even technically superior alternatives into widespread adoption.

2.3 How Does Your Password Measure Up? — Ur et al. (2012)

Ur et al. [6] investigated how the presence and design of password-strength meters influence user password selection behaviour in a controlled laboratory study. Their findings demonstrated that well-calibrated meters significantly shifted users toward longer, more entropic credentials, but also revealed substantial discrepancies between user perception of password strength and the actual guessability of selected credentials — particularly for passwords that incorporated personal information or common substitution patterns (e.g., p@ssw0rd). The paper showed that feedback specificity — indicating not merely whether a password is strong but providing a concrete explanation of the specific weakness — produced measurably stronger outcomes than binary strength indicators. These findings directly motivate the design of the evaluation interface presented above, which provides category-specific feedback rather than an opaque strength score.

References

1. [1]  Corbató, F. J., Merwin-Daggett, M., & Daley, R. C. (1962). An experimental time-sharing system. Proceedings of the Spring Joint Computer Conference, 335–344.
2. [2]  Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). NIST Special Publication 800-63B: Digital identity guidelines — authentication and lifecycle management. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63b
3. [3]  Bonneau, J. (2012). The science of guessing: Analyzing an anonymized corpus of 70 million passwords. 2012 IEEE Symposium on Security and Privacy, 538–552. https://doi.org/10.1109/SP.2012.49
4. [4]  Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46. https://doi.org/10.1145/322796.322806
5. [5]  Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. 2012 IEEE Symposium on Security and Privacy, 553–567. https://doi.org/10.1109/SP.2012.44
6. [6]  Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., & Cranor, L. F. (2012). How does your password measure up? The effect of strength meters on password creation. Proceedings of the 21st USENIX Security Symposium, 65–80.