Högskolan i Skövde

With cyber-attacks on the rise, secure authentication is an important commodity. With passwords being a prevalent authentication method, password creation policies need to be adapted to modern threats and social situations in order to assist users with upholding secure practices. This statement is as true in the public sector as it is in the private sector. This thesis aims to document the current state of password policies for municipalities in Sweden via the collection and analysis of password policies. The timing of this thesis is unfortunate, as the act of data collection, especially when it comes to a topic as sensitive as passwords, brings skepticism as a consequence of the current state of the world. Data collection requests were sent out to all 290 municipalities in Sweden, and 131 policy documents were ultimately obtained and analyzed. While the acquisition rate falls below the 166 that would have been needed for the scientific standard if data collection was from a random sample, it is believed that this amount still allows for a sufficiently detailed overview of the current landscape to be mapped out. The policies were subsequently anonymously coded using both an inductive and deductive approach. The analyzed data was used to measure the following: compliance with the policies compared to recommendations by five security agencies, how long a policy revision is used before a new revision is created and what changes between revisions, and whether a positive relation can be found between the creation date of a password policy and its specified minimum password length. The thesis found that 26% of the acquired policies currently in use were compliant with the recommendations by MSB, and 0.08% were compliant with ENISA. These rates might be a direct consequence of MSB having vague recommendations, and ENISA presenting what they deem is a strong password, not what they recommend as a minimum. Too few documents were acquired to make a general statement about policy age and changes between revisions. Furthermore, a significant positive relationship was found between password age and password length within the collected data.