The Comparison of Password Composition Policies Among US, German, and Thailand Samples

TY - GEN

T1 - The Comparison of Password Composition Policies Among US, German, and Thailand Samples

AU - Lomchan, Jenjira

AU - Wiangsripanawan, Rungrat

AU - Shahandashti, Siamak F.

N1 - Publisher Copyright: © 2023 IEEE.

PY - 2023/7/1

Y1 - 2023/7/1

N2 - The study by Mayer, Kirchner, and Volkamer published at SOUPS 2017 showed that the password composition policy (PCP) strength of both the US and German websites was not influenced by the security but by the usability features of the websites. Surprisingly, the PCP strength of the banking website category was the lowest, whereas the government website was the highest. Our aim in conducting the first study is to find whether 78 Thai frequently used websites in 2018 would yield the same surprising results. Our finding showed an opposite perspective, the highest PCP strength was from the banking websites, followed by university and government websites, respectively. Two more security features were added to our study: 2FA and HTTPS. Although some German websites employing 2FA allowed lower PCPs for better usability, Thai websites with 2FA did not loosen the password requirements. Also, employing HTTPS did not impact the PCP strength. The study with Thai websites was reinvestigated in 2021, two years after the Personal Data Protection Act (PDPA) was announced. The result showed that the median PCP strength of all Thailand samples had grown from 26.6 in 2018 to 31.0 in 2021. The banking websites still retained the highest PCP strength. A significant change appeared on the government websites, increasing from 29.9 to 40.4. In summary, the security features such as the size of services, and values of assets which play no part in both the US and German PCPs were heavily concerned by Thai websites. Government and university websites in Germany and USA gave much higher PCP strength than those in Thailand. The Thai government's PCP strength sharply increased in 2021 due to the privacy law. Nevertheless, it was still lower than the results in Germany and USA in 2016. Therefore, the criteria influencing PCP vary depending on the country.

AB - The study by Mayer, Kirchner, and Volkamer published at SOUPS 2017 showed that the password composition policy (PCP) strength of both the US and German websites was not influenced by the security but by the usability features of the websites. Surprisingly, the PCP strength of the banking website category was the lowest, whereas the government website was the highest. Our aim in conducting the first study is to find whether 78 Thai frequently used websites in 2018 would yield the same surprising results. Our finding showed an opposite perspective, the highest PCP strength was from the banking websites, followed by university and government websites, respectively. Two more security features were added to our study: 2FA and HTTPS. Although some German websites employing 2FA allowed lower PCPs for better usability, Thai websites with 2FA did not loosen the password requirements. Also, employing HTTPS did not impact the PCP strength. The study with Thai websites was reinvestigated in 2021, two years after the Personal Data Protection Act (PDPA) was announced. The result showed that the median PCP strength of all Thailand samples had grown from 26.6 in 2018 to 31.0 in 2021. The banking websites still retained the highest PCP strength. A significant change appeared on the government websites, increasing from 29.9 to 40.4. In summary, the security features such as the size of services, and values of assets which play no part in both the US and German PCPs were heavily concerned by Thai websites. Government and university websites in Germany and USA gave much higher PCP strength than those in Thailand. The Thai government's PCP strength sharply increased in 2021 due to the privacy law. Nevertheless, it was still lower than the results in Germany and USA in 2016. Therefore, the criteria influencing PCP vary depending on the country.

KW - Password Composition Policies (PCP)

KW - Thailand

KW - Website

UR - http://www.scopus.com/inward/record.url?scp=85169290132&partnerID=8YFLogxK

U2 - 10.1109/JCSSE58229.2023.10202141

DO - 10.1109/JCSSE58229.2023.10202141

M3 - Conference contribution

AN - SCOPUS:85169290132

SN - 9798350300512

T3 - Proceedings of JCSSE 2023 - 20th International Joint Conference on Computer Science and Software Engineering

SP - 213

EP - 218

BT - Proceedings of JCSSE 2023 - 20th International Joint Conference on Computer Science and Software Engineering

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 20th International Joint Conference on Computer Science and Software Engineering, JCSSE 2023

Y2 - 28 June 2023 through 1 July 2023

ER -