Good guidance or mistaken misdirection: Assessing the quality of password advice
Proceedings of the Annual Information Institute Conference
School of Science / ECU Security Research Institute
Modern websites often require users to create accounts in order to utilise services or store information. With password leaks appearing on an almost daily basis and being widely publicised, it is reasonable to assume that users should be adopting appropriate practices to secure their accounts and minimise their exposure to compromise. Despite the adoption of various password creation practices (e.g. password length and composition rules), appropriate guidance is often lacking. In order to bridge this gap, cybersecurity advice websites provide guidance to users to assist with the selection and use of appropriate passwords. This paper critically evaluates the advice provided by national-level guidance sites (often supported or implemented by government bodies). This guidance is likely to be a key source of reference for the populous of the respective countries and, as such, is worthy of examination to determine the effectiveness of the advice and the potential impact on individuals. As such, this paper presents a qualitative evaluation of the password guidance offered to end-users from a series of national cybersecurity advisory websites. The assessment is based upon a series of 11 criteria relating to password selection and management, with the guidance being rated as t0 whether it fully or partially addresses the related issues. This reveals that there is considerable variation in the scope and quality of the material, with some of the sources having areas of omission or even potential misdirection in the guidance being offered.