research-article

A Large-Scale Evaluation of High-Impact Password Strength Meters

Authors:
Xavier De Carné De Carnavalet

Concordia University

Concordia University
View Profile

,
Mohammad Mannan

Concordia University

Concordia University
View Profile

ACM Transactions on Information and System Security Volume 18 Issue 1Article No.: 1pp 1–32https://doi.org/10.1145/2739044

Published:27 May 2015Publication History

ACM Transactions on Information and System Security

Abstract

Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords—which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.

References

ArsTechnica.com. 2013. How the Bible and YouTube Are Fueling the Next Frontier of Password Cracking. Retrieved from http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/.Google Scholar
Adam Barth. 2011. The Web Origin Concept. RFC 6454. Retrieved from http://www.ietf.org/rfc/rfc6454.txt.Google Scholar
Francesco Bergadano, Bruno Crispo, and Giancarlo Ruffo. 1998. High dictionary compression for proactive password checking. ACM Transactions on Information and System Security 1, 1 (Nov. 1998), 3--25. Google ScholarDigital Library
Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (May/June 1995), 233--249. Google ScholarDigital Library
Carlo Blundo, Paolo D’Arco, Alfredo De Santis, and Clemente Galdi. 2004. Hyppocrates: A new proactive password checker. Journal of Systems and Software 71, 1--2 (2004), 163--175. Google ScholarDigital Library
Joseph Bonneau and Rubin Xu. 2012. Character encoding issues for web passwords. In Web 2.0 Security & Privacy (W2SP’’12).Google Scholar
Mark Burnett. 2005. Perfect Password: Selection, Protection, Authentication. Syngress, Rockland, MA, 109--112. The password list is available at: http://boingboing.net/2009/01/02/top-500-worst-passwo.html. Google ScholarDigital Library
Mark Burnett. 2011. 10,000 Top Passwords. Retrieved from https://xato.net/passwords/more-top-worst-passwords/.Google Scholar
William E. Burr, Donna F. Dodson, and W. Timothy Polk. 2006. Electronic Authentication Guidelines. NIST Special Publication 800-63. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1&lowbar;0&lowbar;2.pdf.Google Scholar
Xavier de Carné de Carnavalet. 2014. A Large-Scale Evaluation of High-impact Strength Meters. Master’s thesis. Concordia University, Montreal.Google Scholar
Xavier de Carné de Carnavalet and Mohammad Mannan. 2014. From very weak to very strong: Analyzing password-strength meters. In Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
Claude Castelluccia, Markus Dürmuth, and Daniele Perito. 2012. Adaptive password-strength meters from Markov models. In Network and Distributed System Security Symposium (NDSS’12).Google Scholar
CSO Online. 2014. After Celeb Hack, Apple Patches Password Guessing Weakness in iCloud. Retrieved from http://www.cso.com.au/article/553965/after&lowbar;celeb&lowbar;hack&lowbar;apple&lowbar;patches&lowbar;password&lowbar;guessing&lowbar;weakness&lowbar;icloud/.Google Scholar
Chris Davies and Ravi Ganesan. 1993. BApasswd: A new proactive password checker. In National Computer Security Conference. Baltimore, MA.Google Scholar
Serge Egelman, Andreas Sotirakopoulos, Ildar Muslukhov, Konstantin Beznosov, and Cormac Herley. 2013. Does my password go up to eleven&quest; The impact of password meters on password selection. In ACM Conference on Human Factors in Computing Systems (CHI’13). Google ScholarDigital Library
Dinei Florêncio and Cormac Herley. 2010. Where do security policies come from&quest; In Symposium on Usable Privacy and Security (SOUPS’10). Google ScholarDigital Library
Dinei Florêncio, Cormac Herley, and Baris Coskun. 2007. Do strong web passwords accomplish anything&quest; In USENIX Workshop on Hot Topics in Security (HotSec’07). Google ScholarDigital Library
Dinei Florêncio, Cormac Herley, and P. van Oorschot. 2014. An administrator’s guide to internet password research. In USENIX LISA. Google ScholarDigital Library
Steven Furnell. 2011. Assessing password guidance and enforcement on leading websites. Computer Fraud & Security 2011, 12 (Dec. 2011), 10--18.Google Scholar
Nico Van Heijningen. 2013. A State-of-the-Art Password Strength Analysis Demonstrator. Master’s thesis. Rotterdam University.Google Scholar
Cormac Herley and Paul van Oorschot. 2012. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy 10, 1 (2012), 28--36. Google ScholarDigital Library
Shiva Houshmand and Sudhir Aggarwal. 2012. Building better passwords using probabilistic techniques. In Annual Computer Security Applications Conference (ACSAC’12). Google ScholarDigital Library
Immunity Inc. 2014. Immunity Debugger. Retrieved from https://www.immunityinc.com/products-immdbg.shtml.Google Scholar
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In ACM Conference on Human Factors in Computing Systems (CHI’11). Google ScholarDigital Library
LifeHacker.com. 2008. Five Best Password Managers. Retrieved from http://lifehacker.com/5042616/five-best-password-managers.Google Scholar
Robert Morris and Ken Thompson. 1979. Password security: A case history. Communications of the ACM 22, 11 (Nov. 1979), 594--597. Google ScholarDigital Library
Arvind Narayanan and Vitaly Shmatikov. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In ACM Conference on Computer and Communications Security (CCS’05). Google ScholarDigital Library
OpenWall.com. 2014. John the Ripper Password Cracker. Retrieved from http://www.openwall.com/john.Google Scholar
Oxid.it. 2014. Cain & Abel. Retrieved from http://www.oxid.it/cain.html.Google Scholar
PCMag.com. 2014. The Best Password Managers. Retrieved from http://www.pcmag.com/article2/0,2817,2407168,00.asp.Google Scholar
Stuart Schechter, Cormac Herley, and Michael Mitzenmacher. 2010. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In USENIX Workshop on Hot Topics in Security (HotSec’10). Google ScholarDigital Library
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Symposium on Usable Privacy and Security (SOUPS’10). Google ScholarDigital Library
Sophos.com. 2009. Passwords Used by the Conficker Worm. Retrieved from http://nakedsecurity.sophos.com/2009/01/16/passwords-conficker-worm/.Google Scholar
Eugene H. Spafford. 1992. OPUS: Preventing weak password choices. Computers & Security 11, 3 (May 1992), 273--278. Google ScholarDigital Library
TheNextWeb.com. 2014. This Could Be the iCloud Flaw That Led to Celebrity Photos Being Leaked. Retrieved from http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/.Google Scholar
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up&quest; The effect of strength meters on password creation. In USENIX Security Symposium. Google ScholarDigital Library
Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
Matthew Weir. 2010. Using Probabilistic Techniques to Aid in Password Cracking Attacks. Ph.D. Dissertation. Florida State University. Google ScholarDigital Library
Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In ACM Conference on Computer and Communications Security (CCS’10). Google ScholarDigital Library
Dan Wheeler. 2012. zxcvbn: Realistic Password Strength Estimation. Retrieved from https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/.Google Scholar
World Wide Web Consortium (W3C). 2013. Cross-Origin Resource Sharing. (29, 2013). W3C Candidate Recommendation. Retrieved from http://www.w3.org/TR/cors/.Google Scholar
ZDNet.com. 2012. 6.46 Million LinkedIn Passwords Leaked Online. Retrieved from http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290.Google Scholar

Index Terms

A Large-Scale Evaluation of High-Impact Password Strength Meters
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Authentication

Recommendations

On the Accuracy of Password Strength Meters
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Password strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low ...
Read More
Password Book Large Print: 6x9 Password Organizer with Tabs Printed Alphabetical | Smart Black Design
Read More
Pocket Password Book (Password): A discreet internet password organizer
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Information and System Security Volume 18, Issue 1
June 2015
126 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/2786062
Editor:
Gene Tsudik
University of California at Irvine, USA
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 May 2015
- Accepted: 1 February 2015
- Revised: 1 January 2015
- Received: 1 May 2014
Published in tissec Volume 18, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Password strength
password manager
strength meter
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 46
  Total Citations
  View Citations
- 1,484
  Total Downloads
- Downloads (Last 12 months)113
- Downloads (Last 6 weeks)25
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Large-Scale Evaluation of High-Impact Password Strength Meters

ACM Transactions on Information and System Security

Abstract

References

Cited By

Index Terms

Recommendations

On the Accuracy of Password Strength Meters

Password Book Large Print: 6x9 Password Organizer with Tabs Printed Alphabetical | Smart Black Design

Pocket Password Book (Password): A discreet internet password organizer