Saranga Komanduri
Richard Shay
Patrick Gage Kelley
Lujo Bauer
Lorrie Faith Cranor
Serge Egelman
ABSTRACT
Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.
- A. Adams, M. A. Sasse, and P. Lunt. Making passwords secure and usable. In HCI 97, 1997. Google Scholar
Digital Library
- M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.Google ScholarDigital Library
- J. Bonneau and S. Preibusch. The password thicket: technical and market failures in human authentication on the web. In Proc. (online) of WEIS'10, June 2010.Google Scholar
- W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, NIST, 2006. Google ScholarDigital Library
- D. Florêncio and C. Herley. A large-scale study of web password habits. In Proc. WWW'07, 2007. Google ScholarDigital Library
- D. Florêncio and C. Herley. Where do security policies come from? In Proc. SOUPS '10, 2010. Google ScholarDigital Library
- P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In Proc. ACM CHI'10, pages 383--392, 2010. Google ScholarDigital Library
- B. Ives, K. R. Walsh, and H. Schneider. The domino effect of password reuse. C. ACM, 47(4):75--78, 2004. Google ScholarDigital Library
- J. L. Massey. Guessing and entropy. In Proc. IEEE ISIT'94, page 204, 1994.Google ScholarCross Ref
- G. Miller. Note on the bias of information estimates. Info. Th. Psych.: Problems and Methods, 1955.Google Scholar
- L. Paninski. Estimation of entropy and mutual information. Neural Comp., 15(6):1191--1253, 2003. Google ScholarDigital Library
- R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers, 34(2):163--169, 2002.Google Scholar
- S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec'10, 2010. Google ScholarDigital Library
- C. E. Shannon. A mathematical theory of communication. ACM SIGMOBILE Mobile Comp. Comm. Rev., 5(1), 1949. Google ScholarDigital Library
- C. E. Shannon. Prediction and entropy of printed english. Bell Systems Tech. J., 30:50--64, 1951.Google ScholarCross Ref
- R. Shay and E. Bertino. A comprehensive simulation tool for the analysis of password policies. Int. J. Info. Sec., 8(4):275--289, 2009. Google ScholarDigital Library
- R. Shay, S. Komanduri, P. Kelley, P. Leon, M. Mazurek, L. Bauer, N. Christin, and L. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS'10, 2010. Google ScholarDigital Library
- J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Comp. & Security, 24(2):124--133, 2005.Google ScholarDigital Library
- A. Vance. If your password is 123456, just make it hackme. New York Times, http://www.nytimes.com/2010/01/21/technology/21password.html, January 2010, retrieved September 2010.Google Scholar
- K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, and J. Cook. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies, 65(8):744--757, 2007. Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 162--175, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. ACM CCS'10, 2010. Google ScholarDigital Library
- M. Zviran and W. J. Haga. Password security: an empirical study. J. Mgt. Info. Sys., 15(4):161--185, 1999. Google ScholarDigital Library
Index Terms
- Of passwords and people: measuring the effect of password-composition policies
Recommendations
Encountering stronger password requirements: user attitudes and behaviors
SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and SecurityText-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies
After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
Comments