Abstract
Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.
- Farzaneh Asgharpour, Debin Liu, and L. Jean Camp. 2007. Mental models of computer security risks. In Proc. WEIS.Google Scholar
- Chris Baraniuk. 2015. Ashley Madison: Two women explain how hack changed their lives. BBC Retrieved from http://www.bbc.co.uk/news/technology-34072762.Google Scholar
- Bob Beeman. 2004. Using “grep” (a UNIX utility) for Solving Crosswords and Word Puzzle. Retrieved from http://www.bee-man.us/computer/grep/grep.htm#web2.Google Scholar
- Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich. 2015. Version 1.2 of Argon2. Retrieved from https://password-hashing.net/submissions/specs/Argon-v3.pdf.Google Scholar
- Matt Bishop and Daniel V. Klein. 1995. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233--249. Google ScholarDigital Library
- Joseph Bonneau. 2012. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- Joseph Bonneau and Ekaterina Shutova. 2012. Linguistic properties of multi-word passphrases. In Proc. USEC. Google ScholarDigital Library
- Thorsten Brantz and Alex Franz. 2006. The Google Web 1T 5-Gram Corpus. Technical Report. Linguistic Data Consortium.Google Scholar
- William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, W. Timothy Polk, Sarbari Gupta, and Emad A. Nabbus. 2011. Electronic Authentication Guideline. Technical Report. NIST. Google ScholarDigital Library
- William E. Burr, Donna F. Dodson, and W. Timothy Polk. 2006. Electronic Authentication Guideline. Technical Report. NIST. Google Scholar
- Jan Camenisch, Anja Lehmann, and Gregory Neven. 2015. Optimal distributed password verification. In Proc. CCS. Google ScholarDigital Library
- Carnegie Mellon University. 2015. Password Guessability Service. Retrieved from https://pgs.ece.cmu.edu.Google Scholar
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In Proc. NDSS.Google ScholarCross Ref
- Matteo Dell’Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proc. CCS. Google ScholarDigital Library
- Dave Engberg. 2013. Security Notice: Service-wide Password Reset. Retreived from http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/.Google Scholar
- Experian. 2014. Illegal Web Trade of Personal Information Soars to Record Highs. Retrieved from https://www.experianplc.com/media/news/2014/illegal-web-trade-of-personal-information-soars-to-record-highs/.Google Scholar
- Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the ecological validity of a password study. In Proc. SOUPS. Google ScholarDigital Library
- Dinei Florêncio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. WWW. Google ScholarDigital Library
- Dinei Florêncio and Cormac Herley. 2010. Where do security policies come from? In Proc. SOUPS. Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Paul van Oorschot. 2014. An administrator’s guide to internet password research. In Proc. USENIX LISA. Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Paul Van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proc. USENIX Security. Google ScholarDigital Library
- Warwick Ford and Burton S. Kaliski Jr. 2000. Server-assisted generation of a strong secret from a password. In Proc. WET ICE. Google ScholarDigital Library
- Dan Goodin. 2012. Hackers expose 453,000 credentials allegedly taken from Yahoo service. Retrieved from http://arstechnica.com/security/2012/07/yahoo-service-hacked/.Google Scholar
- Dan Goodin. 2015. Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked. Ars Technica. Retrieved from http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/.Google Scholar
- Cormac Herley. 2009. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW. 133--144. Google ScholarDigital Library
- Cormac Herley and Paul Van Oorschot. 2012. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy 10, 1 (2012), 28--36. Google ScholarCross Ref
- Jun Ho Huh, Seongyeol Oh, Hyoungshick Kim, Konstantin Beznosov, Apurva Mohan, and S Raj Rajagopalan. 2015. Surpass: System-initiated user-replaceable passwords. In Proc. CCS. ACM. Google ScholarDigital Library
- Philip Inglesant and M. Angela Sasse. 2010. The true cost of unusable password policies: Password use in the wild. In Proc. CHI. Google ScholarDigital Library
- InsidePro. 2005. Dictionaries. Retrieved from http://forum.insidepro.com/viewtopic.php?t=34331. (2005).Google Scholar
- Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making password-cracking detectable. In Proc. CCS. Google ScholarDigital Library
- Mark Keith, Benjamin Shao, and Paul Steinbart. 2009. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 63--89.Google ScholarCross Ref
- Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- Saranga Komanduri. 2016. Modeling the Adversary to Evaluate Password Strengh with Limited Samples. Ph.D. Dissertation. Carnegie Mellon University. CMU-ISR-16-101.Google Scholar
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI. Google ScholarDigital Library
- Greg Kumparak. 2013. Vudu Headquarters Robbed, Hard Drives With Private Customer Data Stolen. Retrieved from http://techcrunch.com/2013/04/09/vudu-headquarters-robbed-hard-drives-with-private-customer-data-stolen/.Google Scholar
- Bob Lord. 2013. Keeping our users secure. Retrieved from http://blog.twitter.com/2013/02/keeping-our-users-secure.html.Google Scholar
- Jerry Ma, Weining Yang, Min Luo, and Ninghui Li. 2014. A study of probabilistic password models. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proc. CCS. Google ScholarDigital Library
- William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proc. CHI. Google ScholarDigital Library
- Colin Percival. 2009. Stronger Key Derivation Via Sequential Memory-Hard Functions. http://www.tarsnap.com/scrypt/scrypt.pdf. (2009).Google Scholar
- Nicole Perlroth. 2013. LivingSocial Hack Exposes Data for 50 Million Customers. Retrieved from http://bits.blogs.nytimes.com/2013/04/26/living-social-hack-exposes-data-for-50-million-customers/.Google Scholar
- John O. Pliam. 2000. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Proc. INDOCRYPT. Google ScholarDigital Library
- Niels Provos and David Mazieres. 1999. A future-adaptable password scheme. In Proc. USENIX ATC. Google ScholarDigital Library
- Ashwini Rao, Birendra Jha, and Gananand Kini. 2013. Effect of grammar on security of long passwords. In Proc. CODASPY. Google ScholarDigital Library
- Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proc. MUM. Google ScholarDigital Library
- Bruce Schneier. 2006. MySpace Passwords Aren’t So Dumb. Retrieved from http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300.Google Scholar
- SCOWL. 2015. Spell Checker Oriented Word Lists. Retrieved from http://wordlist.sourceforge.net.Google Scholar
- Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A spoonful of sugar? The impact of guidance and feedback on password-creation behavior. In Proc. CHI. Google ScholarDigital Library
- Richard Shay, Iulia Ion, Robert W. Reeder, and Sunny Consolvo. 2014. “My religious aunt asked why I was trying to sell her Viagra”: Experiences with account hijacking. In Proc. CHI. Google ScholarDigital Library
- Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS. Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip Seyoung Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable? In Proc. CHI. Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2010. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS. Google ScholarDigital Library
- Jens Steube. 2015. Hashcat. Retrieved from https://hashcat.net/oclhashcat/.Google Scholar
- Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: User behaviour in managing passwords. In Proc. SOUPS.Google Scholar
- Elizabeth Stobert and Robert Biddle. 2015. Expert password management. In Proc. Passwords.Google Scholar
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security. Google ScholarDigital Library
- Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, and Timothy Vidas. 2013. Poster: The art of password creation. In IEEE Symp. Security & Privacy (Posters).Google Scholar
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015a. “I Added ‘!’ at the end to make it secure”: Observing Password Creation in the Lab. In Proc. SOUPS.Google Scholar
- Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015b. Measuring real-world accuracies and biases in modeling password guessability. In Proc. USENIX Security. Google ScholarDigital Library
- Ashlee Vance. 2010. If Your Password Is 123456, Just Make It HackMe. The New York Times, http://www.nytimes.com/2010/01/21/technology/21password.html. (January 21, 2010).Google Scholar
- Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the semantic patterns of passwords and their security impact. In Proc. NDSS.Google ScholarCross Ref
- Rafael Veras, Julie Thorpe, and Christopher Collins. 2012. Visualizing semantics in passwords: The role of dates. In Proc. VizSec. Google ScholarDigital Library
- Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, I shrunk the keys: Influences of mobile devices on password composition and authentication performance. In Proc. NordiCHI. Google ScholarDigital Library
- Rick Wash. 2010. Folk models of home computer security. In Proc. SOUPS. Google ScholarDigital Library
- Charles Matthew Weir. 2010. Using Probabilistic Techniques To Aid In Password Cracking Attacks. Ph.D. Dissertation.Google Scholar
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS. Google ScholarDigital Library
- Matt Weir, Sudhir Aggarwal, Breno de Medeiros, and Bill Glodek. 2009. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symp. Security & Privacy. Google ScholarDigital Library
- Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text entry method affects password security. In Proc. LASER.Google Scholar
- Anjie Zheng. 2015. VTech Has Yet to Put a Price on Hack, Chairman Says. Wall Street Journal. Retrieved from http://www.wsj.com/articles/vtech-has-yet-to-put-a-price-on-hack-chairman-says-1449556689. (December 8, 2015).Google Scholar
Index Terms
- Designing Password Policies for Strength and Usability
Recommendations
Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing SystemsPassword policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...
The true cost of unusable password policies: password use in the wild
CHI '10: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsHCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in ...
Revisiting graphical passwords for augmenting, not replacing, text passwords
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications ConferenceUsers generally choose weak passwords which can be easily guessed. On the other hand, adoption of alternatives to text passwords has been slow due to cost and usability factors. We acknowledge that incumbent passwords remain difficult to beat and ...
Comments