Abstract
Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords—which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.
- ArsTechnica.com. 2013. How the Bible and YouTube Are Fueling the Next Frontier of Password Cracking. Retrieved from http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/.Google Scholar
- Adam Barth. 2011. The Web Origin Concept. RFC 6454. Retrieved from http://www.ietf.org/rfc/rfc6454.txt.Google Scholar
- Francesco Bergadano, Bruno Crispo, and Giancarlo Ruffo. 1998. High dictionary compression for proactive password checking. ACM Transactions on Information and System Security 1, 1 (Nov. 1998), 3--25. Google ScholarDigital Library
- Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (May/June 1995), 233--249. Google ScholarDigital Library
- Carlo Blundo, Paolo D’Arco, Alfredo De Santis, and Clemente Galdi. 2004. Hyppocrates: A new proactive password checker. Journal of Systems and Software 71, 1--2 (2004), 163--175. Google ScholarDigital Library
- Joseph Bonneau and Rubin Xu. 2012. Character encoding issues for web passwords. In Web 2.0 Security & Privacy (W2SP’’12).Google Scholar
- Mark Burnett. 2005. Perfect Password: Selection, Protection, Authentication. Syngress, Rockland, MA, 109--112. The password list is available at: http://boingboing.net/2009/01/02/top-500-worst-passwo.html. Google ScholarDigital Library
- Mark Burnett. 2011. 10,000 Top Passwords. Retrieved from https://xato.net/passwords/more-top-worst-passwords/.Google Scholar
- William E. Burr, Donna F. Dodson, and W. Timothy Polk. 2006. Electronic Authentication Guidelines. NIST Special Publication 800-63. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf.Google Scholar
- Xavier de Carné de Carnavalet. 2014. A Large-Scale Evaluation of High-impact Strength Meters. Master’s thesis. Concordia University, Montreal.Google Scholar
- Xavier de Carné de Carnavalet and Mohammad Mannan. 2014. From very weak to very strong: Analyzing password-strength meters. In Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
- Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Network and Distributed System Security Symposium (NDSS’12).Google Scholar
- CSO Online. 2014. After Celeb Hack, Apple Patches Password Guessing Weakness in iCloud. Retrieved from http://www.cso.com.au/article/553965/after_celeb_hack_apple_patches_password_guessing_weakness_icloud/.Google Scholar
- Chris Davies and Ravi Ganesan. 1993. BApasswd: A new proactive password checker. In National Computer Security Conference. Baltimore, MA.Google Scholar
- Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven? The impact of password meters on password selection. In ACM Conference on Human Factors in Computing Systems (CHI’13). Google ScholarDigital Library
- Dinei Florêncio and Cormac Herley. 2010. Where do security policies come from? In Symposium on Usable Privacy and Security (SOUPS’10). Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Baris Coskun. 2007. Do strong web passwords accomplish anything? In USENIX Workshop on Hot Topics in Security (HotSec’07). Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and P. van Oorschot. 2014. An administrator’s guide to internet password research. In USENIX LISA. Google ScholarDigital Library
- Steven Furnell. 2011. Assessing password guidance and enforcement on leading websites. Computer Fraud & Security 2011, 12 (Dec. 2011), 10--18.Google Scholar
- Nico Van Heijningen. 2013. A State-of-the-Art Password Strength Analysis Demonstrator. Master’s thesis. Rotterdam University.Google Scholar
- Cormac Herley and Paul van Oorschot. 2012. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy 10, 1 (2012), 28--36. Google ScholarDigital Library
- Shiva Houshmand and Sudhir Aggarwal. 2012. Building better passwords using probabilistic techniques. In Annual Computer Security Applications Conference (ACSAC’12). Google ScholarDigital Library
- Immunity Inc. 2014. Immunity Debugger. Retrieved from https://www.immunityinc.com/products-immdbg.shtml.Google Scholar
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In ACM Conference on Human Factors in Computing Systems (CHI’11). Google ScholarDigital Library
- LifeHacker.com. 2008. Five Best Password Managers. Retrieved from http://lifehacker.com/5042616/five-best-password-managers.Google Scholar
- Robert Morris and Ken Thompson. 1979. Password security: A case history. Communications of the ACM 22, 11 (Nov. 1979), 594--597. Google ScholarDigital Library
- Arvind Narayanan and Vitaly Shmatikov. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In ACM Conference on Computer and Communications Security (CCS’05). Google ScholarDigital Library
- OpenWall.com. 2014. John the Ripper Password Cracker. Retrieved from http://www.openwall.com/john.Google Scholar
- Oxid.it. 2014. Cain & Abel. Retrieved from http://www.oxid.it/cain.html.Google Scholar
- PCMag.com. 2014. The Best Password Managers. Retrieved from http://www.pcmag.com/article2/0,2817,2407168,00.asp.Google Scholar
- Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In USENIX Workshop on Hot Topics in Security (HotSec’10). Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Symposium on Usable Privacy and Security (SOUPS’10). Google ScholarDigital Library
- Sophos.com. 2009. Passwords Used by the Conficker Worm. Retrieved from http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/.Google Scholar
- Eugene H. Spafford. 1992. OPUS: Preventing weak password choices. Computers & Security 11, 3 (May 1992), 273--278. Google ScholarDigital Library
- TheNextWeb.com. 2014. This Could Be the iCloud Flaw That Led to Celebrity Photos Being Leaked. Retrieved from http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/.Google Scholar
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In USENIX Security Symposium. Google ScholarDigital Library
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
- Matthew Weir. 2010. Using Probabilistic Techniques to Aid in Password Cracking Attacks. Ph.D. Dissertation. Florida State University. Google ScholarDigital Library
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In ACM Conference on Computer and Communications Security (CCS’10). Google ScholarDigital Library
- Dan Wheeler. 2012. zxcvbn: Realistic Password Strength Estimation. Retrieved from https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/.Google Scholar
- World Wide Web Consortium (W3C). 2013. Cross-Origin Resource Sharing. (29, 2013). W3C Candidate Recommendation. Retrieved from http://www.w3.org/TR/cors/.Google Scholar
- ZDNet.com. 2012. 6.46 Million LinkedIn Passwords Leaked Online. Retrieved from http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290.Google Scholar
Index Terms
- A Large-Scale Evaluation of High-Impact Password Strength Meters
Recommendations
On the Accuracy of Password Strength Meters
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityPassword strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low ...
Comments