ABSTRACT
Although many users create predictable passwords, the extent to which users realize these passwords are predictable is not well understood. We investigate the relationship between users' perceptions of the strength of specific passwords and their actual strength. In this 165-participant online study, we ask participants to rate the comparative security of carefully juxtaposed pairs of passwords, as well as the security and memorability of both existing passwords and common password-creation strategies. Participants had serious misconceptions about the impact of basing passwords on common phrases and including digits and keyboard patterns in passwords. However, in most other cases, participants' perceptions of what characteristics make a password secure were consistent with the performance of current password-cracking tools. We find large variance in participants' understanding of how passwords may be attacked, potentially explaining why users nonetheless make predictable passwords. We conclude with design directions for helping users make better passwords.
- Steven Van Acker, Daniel Hausknecht, Wouter Joosen, and Andrei Sabelfeld. 2015. Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right. In Proc. CODASPY. Google ScholarDigital Library
- Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (1999), 40-46. Google ScholarDigital Library
- Farzaneh Asgharpour, Debin Lu, and L. Jean Camp. 2007. Mental Models of Computer Security Risks. In Proc. WEIS.Google Scholar
- Adam J. Aviv and Dane Fichter. 2014. Understanding Visual Perceptions of Usability and Security of Android's Graphical Password Pattern. In Proc. ACSAC. 286-295. Google ScholarDigital Library
- Chris Baraniuk. 2015. Ashley Madison: Two women explain how hack changed their lives. BBC http://www.bbc.co.uk/news/technology-34072762. (August 27, 2015).Google Scholar
- Adam J. Berinsky, Gregory A. Huber, and Gabriel S. Lenz. 2012. Evaluating Online Labor Markets for Experimental Research: Amazon.com's Mechanical Turk. Political Analysis 20 (2012), 351-368.Google ScholarCross Ref
- Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, and Marios Savvides. 2015. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. In Proc. USEC.Google ScholarCross Ref
- Joseph Bonneau. 2010. The Gawker hack: How a million passwords were lost. Light Blue Touchpaper Blog. (December 2010). http://www.lightbluetouchpaper.org/2010/12/15/thegawker-hack-how-a-million-passwords-were-lost/.Google Scholar
- Joseph Bonneau. 2012a. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Joseph Bonneau. 2012b. Statistical metrics for individual password strength. In Proc. Workshop on Security Protocols. Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proc. IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2015. Passwords and the Evolution of Imperfect Authentication. CACM 58, 7 (June 2015), 78-87. Google ScholarDigital Library
- Joseph Bonneau and Ekaterina Shutova. 2012. Linguistic properties of multi-word passphrases. In Proc. USEC. Google ScholarDigital Library
- Jon Brodkin. 2012. 10 (or so) of the worst passwords exposed by the LinkedIn hack. Ars Technica. (June 2012).Google Scholar
- Michael Buhrmester, Tracy Kwang, and Samuel D. Gosling. 2011. Amazon's Mechanical Turk: A New Source of Inexpensive, Yet High-Quality, Data? Perspectives on Psychological Science 6, 1 (2011), 3-5.Google ScholarCross Ref
- Dell Cameron. 2014. Apple knew of iCloud security hole 6 months before Celebgate. The Daily Dot. (September 24 2014). http://www.dailydot.com/technology/appleicloud-brute-force-attack-march/.Google Scholar
- Carnegie Mellon University. 2015. Password Guessability Service. https://pgs.ece.cmu.edu. (2015).Google Scholar
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The Tangled Web of Password Reuse. In Proc. NDSS.Google ScholarCross Ref
- Xavier de Carne de Carnavalet and Mohammad Mannan. 2014. From Very Weak to Very Strong: Analyzing Password-Strength Meters. In Proc. NDSS.Google ScholarCross Ref
- Alexander De Luca, Alina Hang, Emanuel von Zezschwitz, and Heinrich Hussmann. 2015. I Feel Like I'm Taking Selfies All Day! Towards Understanding Biometric Authentication on Smartphones. In Proc. CHI. Google ScholarDigital Library
- Geoffrey B. Duggan, Hilary Johnson, and Beate Grawemeyer. 2012. Rational security: Modelling everyday password use. International Journal of Human-Computer Studies 70, 6 (2012), 415 - 431. Google ScholarDigital Library
- David Eargle, John Godfrey, Hsin Miao, Scott Stevenson, Richard Shay, Blase Ur, and Lorrie Cranor. 2015. You Can Do Better -- Motivational Statements in Password-Meter Feedback. SOUPS Poster (2015).Google Scholar
- Serge Egelman, Andreas Sotirakopoulos, Ilar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does My Password Go up to Eleven?. In Proc. CHI.Google ScholarDigital Library
- Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On The Ecological Validity of a Password Study. In Proc. SOUPS. Google ScholarDigital Library
- Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. WWW. Google ScholarDigital Library
- Dinei Florencio, Cormac Herley, and Paul C. van Oorschot. 2014. An Administrator's Guide to Internet Password Research. In USENIX LISA. Google ScholarDigital Library
- Dinei Florencio, Cormac Herley, and Paul C. van Oorschot. 2014. Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. In Proc. USENIX Security. Google ScholarDigital Library
- Simson Garfinkel and Heather Richter Lipford. 2014. Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Privacy, and Trust (2014). Google ScholarCross Ref
- Shirley Gaw and Edward W. Felten. 2006. Password management strategies for online accounts. In Proc. SOUPS. Google ScholarDigital Library
- Megan Geuss. 2015. Mozilla: data stolen from hacked bug database was used to attack Firefox. Ars Technica http://arstechnica.com/security/2015/09/mozilla-data-stolen-from-hacked-bug-databasewas-used-to-attack-firefox/. (September 4, 2015).Google Scholar
- Jeffrey Goldberg. 2013. Defining Password Strength. In Passwords.Google Scholar
- Dan Goodin. 2012. Why passwords have never been weaker and crackers have never been stronger. Ars Technica. (August 2012). http://arstechnica.com/security/2012/08/passwords-under-assault/.Google Scholar
- Dan Goodin. 2013. Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331". Ars Technica. (May 2013). http://arstechnica.com/security/2013/05/howcrackers-make-minced-meat-out-of-yourpasswords/.Google Scholar
- Dan Goodin. 2015. Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked. Ars Technica http://arstechnica.com/security/2015/09/onceseen-as-bulletproof-11-million-ashley-madisonpasswords-already-cracked/. (September 10, 2015).Google Scholar
- S.M. Taiabul Haque, Matthew Wright, and Shannon Scielzo. 2013. A Study of User Password Strategy for Multiple Accounts. In CODASPY. Google ScholarDigital Library
- Shiva Houshmand, Sudhir Aggarwal, and Randy Flood. 2015. Next Gen PCFG Password Cracking. IEEE TIFS 10, 8 (Aug 2015), 1776-1791.Google Scholar
- Imperva. 2010. Consumer Password Worst Practices. (2010). http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf.Google Scholar
- Iulia Ion, Marc Langheinrich, Ponnurangam Kumaraguru, and Srdjan Capkun. 2010. Influence of user perception, security needs, and social factors on device pairing method choices. In Proc. SOUPS. Google ScholarDigital Library
- Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. "...no one can hack my mind": Comparing Expert and Non-Expert Security Practices. In Proc. SOUPS.Google Scholar
- Panagiotis G. Ipeirotis, Foster Provost, and Jing Wang. 2010. Quality Management on Amazon Mechanical Turk. In Proc. HCOMP. ACM, NY, NY, USA, 64-67. Google ScholarDigital Library
- Blake Ives, Kenneth R. Walsh, and Helmut Schneider. 2004. The Domino Effect of Password Reuse. Commun. ACM 47, 4 (April 2004), 75-78. Google ScholarDigital Library
- Markus Jakobsson and Mayank Dhiman. 2012. The Benefits of Understanding Passwords. In Proc. HotSec. Google ScholarDigital Library
- Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Saranga Komanduri. 2015. Modeling the adversary to evaluate password strength with limited samples. Ph.D. Dissertation. Carnegie Mellon University.Google Scholar
- Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. 2014. Telepathwords: Preventing weak passwords by reading users' minds. In Proc. USENIX Security. Google ScholarDigital Library
- Cynthia Kuo, Sasha Romanosky, and Lorrie Faith Cranor. 2006. Human selection of mnemonic phrase-based passwords. In Proc. SOUPS. Google ScholarDigital Library
- Zhigong Li, Weili Han, and Wenyuan Xu. 2014. A Large-Scale Empirical Analysis of Chinese Web Passwords. In Proc. USENIX Security. Google ScholarDigital Library
- Dylan Love. 2014. Apple On iCloud Breach: It's Not Our Fault Hackers Guessed Celebrity Passwords. International Business Times. (September 2 2014). http://www.ibtimes.com/apple-icloud-breach-itsnot-our-fault-hackers-guessed-celebritypasswords-1676268.Google Scholar
- Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A Study of Probabilistic Password Models. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- David Malone and Kevin Maher. 2012. Investigating the distribution of password choices. In Proc. WWW. Google ScholarDigital Library
- Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring Password Guessability for an Entire University. In Proc. CCS. Google ScholarDigital Library
- William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In Proc. CHI. Google ScholarDigital Library
- Randall Munroe. 2012. xkcd: Password strength. https://www.xkcd.com/936/. (2012).Google Scholar
- Gilbert Notoatmodjo and Clark Thomborson. 2009. Passwords and perceptions. In Proc. AISC. Google ScholarDigital Library
- Alexander Peslyak. 1996-. John the Ripper. http://www.openwall.com/john/. (1996-).Google Scholar
- Niels Provos and David Mazieres. 1999. A Future-Adaptable Password Scheme. In Proc. USENIX. Google ScholarDigital Library
- Emilee Rader, Rick Wash, and Brandon Brooks. 2012. Stories as informal lessons about security. In Proc. SOUPS. Google ScholarDigital Library
- Joel Ross, Lilly Irani, M. Six Silberman, Andrew Zaldivar, and Bill Tomlinson. 2010. Who are the crowdworkers?: Shifting demographics in Mechanical Turk. In CHI Extended Abstracts. Google ScholarDigital Library
- Bruce Schneier. 2009. Password Advice. http://www.schneier.com/blog/archives/2009/08/password_advice.html. (August 2009).Google Scholar
- Andreas Sotirakopoulos, Ildar Muslukov, Konstantin Beznosov, Cormac Herley, and Serge Egelman. 2011. Motivating Users to Choose Better Passwords Through Peer Pressure. SOUPS Poster (2011).Google Scholar
- Jens Steubbe. 2009. Hashcat. http://hashcat.net/oclhashcat-plus/. (2009).Google Scholar
- Elizabeth Stobert and Robert Biddle. 2014. The Password Life Cycle: User Behaviour in Managing Passwords. In Proc. SOUPS.Google Scholar
- Elizabeth Stobert and Robert Biddle. 2015. Expert Password Management. In Proc. Passwords.Google Scholar
- Stricture Consulting Group. 2015. Password Audits. http://stricture-group.com/services/passwordaudits.htm. (2015).Google Scholar
- San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What makes users refuse web single sign-on?: An empirical investigation of OpenID. In Proc. SOUPS. Google ScholarDigital Library
- Richard H. Thaler and Cass R. Sunstein. 2008. Nudge: Improving decisions about health, wealth, and happiness. Yale University Press.Google Scholar
- Trustwave Spiderlabs. 2012. eHarmony Password Dump Analysis. (June 2012). http://blog.spiderlabs.com/2012/06/eharmonypassword-dump-analysis.html.Google Scholar
- Blase Ur, Patrick Gage Kelly, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security. Google ScholarDigital Library
- Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, and Timothy Vidas. 2013. Poster: The Art of Password Creation. In IEEE Symposium on Security and Privacy (Posters).Google Scholar
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015a. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. In Proc. SOUPS.Google Scholar
- Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015b. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. In Proc. USENIX Security. Google ScholarDigital Library
- Ashlee Vance. 2010. If Your Password Is 123456, Just Make It HackMe. NY Times, http://www.nytimes.com/2010/01/21/technology/21password.html. (2010).Google Scholar
- Anthony Vance, David Eargle, Kirk Ouimet, and Detmar Straub. 2013. Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment. In Proc. HICSS. Google ScholarDigital Library
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the Semantic Patterns of Passwords and their Security Impact. In Proc. NDSS.Google ScholarCross Ref
- Rafael Veras, Julie Thorpe, and Christopher Collins. 2012. Visualizing semantics in passwords: The role of dates. In Proc. VizSec. Google ScholarDigital Library
- Melanie Volkamer and Karen Renaud. 2013. Mental Models - General Introduction and Review of Their Application to Human-Centred Security. In Number Theory and Cryptography. Lecture Notes in Computer Science, Vol. 8260. 255-280.Google ScholarCross Ref
- Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2013. Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition. In INTERACT.Google Scholar
- Rick Wash. 2010. Folk models of home computer security. In Proc. SOUPS. Google ScholarDigital Library
- Matt Weir. 2009. The RockYou 32 Million Password List Top 100. http://reusablesec.blogspot.com/2009/12/rockyou-32-million-password-list-top.html. (December 2009).Google Scholar
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS. Google ScholarDigital Library
- Dan Wheeler. 2012. zxcvbn: realistic password strength estimation. https://blogs.dropbox.com/tech/2012/04/zxcvbnrealistic-password-strength-estimation/. (2012).Google Scholar
- Yinqian Zhang, Fabian Monrose, and Michael K Reiter. 2010. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS. Google ScholarDigital Library
- Leah Zhang-Kennedy, Sonia Chiasson, and Robert Biddle. 2013. Password advice shouldn't be boring: Visualizing password guessing attacks. In Proc. eCRS.Google ScholarCross Ref
Index Terms
- Do Users' Perceptions of Password Security Match Reality?
Recommendations
Designing Password Policies for Strength and Usability
Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Helping users create and remember more secure text passwords
BCS-HCI '08: Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction - Volume 2This doctoral research aims to persuade users to choose and remember more secure text passwords. The first component involved user studies demonstrating that users can be persuaded to create more secure text passwords. Unfortunately, the stronger ...
Inside out - A study of users’ perceptions of password memorability and recall
AbstractHow users perceive password memorability is not well understood, despite passwords being studied thoroughly. We investigate the relationship between users’ perceptions of the memorability of a number of passwords and the users’ ...
Comments