ABSTRACT
We report the results of a large scale study of password use andpassword re-use habits. The study involved half a million users over athree month period. A client component on users' machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.
- http://www.rsasecurity.com.Google Scholar
- http://www.passwordresearch.com.Google Scholar
- A. Adams and M. A. Sasse. Users are not the Enemy. Comm. ACM, 1999. Google ScholarDigital Library
- B. Efron and R. Thisted. Estimating the number of unknown species: How many words did Shakespeare know? Biometrika, 1976.Google Scholar
- D. V. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. Usenix Security Workshop, 1990.Google Scholar
- F. T. Grampp and R. H. Morris. UNIX Operating System Security. Bell System Tech. Jorunal, 1984.Google Scholar
- E. Gaber, P. Gibbons, Y. Matyas, and A. Mayer. How to make personalized web browsing simple, secure and anonymous. Proc. Finan. Crypto '97. Google ScholarDigital Library
- W. Gale. Good-Turing Smoothing Without Tears. Statistics Research Reports from AT&T Laboratories 94.5, AT&T Bell Laboratories, 1994.Google Scholar
- J. Yan and A. Blackwell and R. Anderson and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security & Privacy, 2004. Google ScholarDigital Library
- Jefferson Wells Inc. Microsoft Phishing Filter Feature in Internet Explorer 7 and Windows Live Toolbar. 2006. http://www.jeffersonwells.com/clientauditreports/Microsoft PF IE7IEToolbarFeature Privacy Audit 20060728.pdf.Google Scholar
- Anti-Phishing Working Group. http://www.antiphishing.org.Google Scholar
- R. Morris and K. Thompson. Password Security: A Case History. Comm. ACM, 1979. Google ScholarDigital Library
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. Proceedings of the 14th Usenix Security Symposium, 2005. Google ScholarDigital Library
- M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals. Microsoft Press, 2005.Google Scholar
Index Terms
- A large-scale study of web password habits
Comments