Quality of Password Management Policy Carlos Villarrubia, Eduardo Fernhndez-Medina and Mario Piattini Alarcos Research Group Information ,&stems and TechnologiesDepartment UCLM-Sol~ziona Research and Development Institute University of'Castilla-La Marzcha Paseo de la Universidad, 4 - 13071 Ciudad Real, Spain {Carlos.Villarrubia, Eduardo.FdezMedina, Mario.Piattini)@uc/m.es Abstract The use ofpcrsswords is the most common method to carry out the uuthenticafion of users in infirmution systems. For thrs reason, quality in the password nzanagenzent is a need to reach reasonable levels in the ~pical objective.^ of security. In this paper, we propose a set of metrics oJj7asswordpolicies based on the niosf outsrunding jiftrctors in thu az~thentic~ztzon mechunum. Together with the metrrc.~, we propose (I quulity indicator derived from these metrics that allows w to Rave a global vzsion of the quality of the password management polrcy zd.sed. F~nully, we will ~ndicote the jktzrre worh to be performed to check the validity and usefiAIness of tire proposed metrics 1. Introduction the elaboration of rules and recommendations of multiple levels [I 1, 12 ,13, 14, 20, 211. The fact that this method is very easy to usc in all systems together with its low cost has motivated this acceptation [18]. Deficiencies of this method have been widely studied and measures have been proposed to limit these disadvantages [2, 9, 231. In some designs, the main disadvantages are linked to the necessary confidence in users when dealing with passwords while in other occasions, these disadvantages are motivated by designs that assumed a secure environment (such as, intranets) and that have been used m other environments (for example, the Internet) [I 01. All these problenls should indicate that passwords arc a mcchanisin to be rcplaced but the users' acceptation of their use, their low cost together with the complexity and costs of the alternative methods guarantee their short and medium term c o ~ ~ t i n u a ~ ~ c e . The use of an authentication system requires the securiQ Metrics integration of multiple elements; depending on the used techniques, it IS necessary to use cryptography, Inforination and its support processes together with medicine, psychology, systems analysis and protocol systems and nets me important resources for any design. All authcntlcation systems are designed to ~h~~~ resources are contilluous~y assure the identity of a participant to other participant subjected to risks and insecurities coming from a great and this process requires that the first participant variety of sources, where there are threats based on demonstrates hls idcntity according to any kind of malicious code, programming errors, human information (knowledge evidence, possession or fires. evidence, and biological evidence). This authentication This concern has encouraged many organizations evidence can be a word or a password as it is used in and to propose nletrics to evaluate the majority Of systclns and a~~licatiolls of their infornlation systems. In general, there evide11ce)9 a cl~togra~hlc card is a consensus regarding the fact that choosing these (possession evidence) or any biological characteristic depends on security need of of the individual to be authenticated and that is organization, The majority of proposals put measured through a biometric device (biological fornard methods to choose these nletrics 4, 19, 22, evidence). 27, 281. In addition, son~etin~es, ~tis suggestcd the need Historically, the use of a mechanism based on of developing specific methodologies for each passwords has been the rllost used method. The orgall~atlon importance of this authentication mechanism has led to Proceedings of the First International Conference on Availability, Reliability and Security (ARES'O6) 0-7695-2567-9106$20.00 Q 2006 IEEE C~MPUTER SOCIETY