Richard Shay
Patrick Gage Kelley
Saranga Komanduri
Blase Ur
Lujo Bauer
Lorrie Faith Cranor
ABSTRACT
Users tend to create passwords that are easy to guess, while system-assigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character system-assigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.
- A. Adams, M. A. Sasse, and P. Lunt. Making passwords secure and usable. In Proc. HCI, 1997. Google Scholar
Digital Library
- E. Adar. Why I hate Mechanical Turk research (and workshops). In Proc. CHI Workshop on Crowdsourcing and Human Computation, 2011.Google Scholar
- G. V. Bard. Spelling-error tolerant, order-independent pass-phrases via the Damerau-Levenshtein string-edit distance metric. In Proc. ACSW, pages 117--124, 2007. Google ScholarDigital Library
- A. J. Berinsky, G. A. Huber, and G. S. Len. Using Mechanical Turk as a subject recruitment tool for experimental research. Political Analysis, 2011.Google Scholar
- M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233--249, 1995.Google ScholarDigital Library
- J. Bonneau. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proc. IEEE Symposium on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau and E. Shutova. Linguistic properties of multi-word passphrases. In Proc. USEC, 2012.Google ScholarDigital Library
- M. Buhrmester, T. Kwang, and S. D. Gosling. Amazon's Mechanical Turk: A new source of inexpensive, yet high-quality, data? Persp. Psych. Sci., 6(1):3--5, 2011.Google ScholarCross Ref
- W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. Technical report, NIST, 2006.Google ScholarDigital Library
- C. Castelluccia, M. Durmuth, and D. Perito. Adaptive password-strength meters from Markov models. In Proc. NDSS, 2012.Google Scholar
- D. Craddock. Hey! My friend's account was hacked! http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/07/14/hey-my-friend-s-account-was-hacked.aspx, 2011.Google Scholar
- H. Crawford and J. Aycock. Kwyjibo: automatic domain name generation. Softw: Pract. Exper., 38(14):1561--1567, 2008. Google ScholarDigital Library
- M. Davies. The corpus of contemporary American English: 425 million words, 1990--present. Available online at http://corpus.byu.edu/coca/, 2008.Google Scholar
- M. Dell'Amico, P. Michiardi, and Y. Roudier. Password strength: An empirical analysis. In Proc. INFOCOM, 2010. Google ScholarDigital Library
- J. S. Downs, M. B. Holbrook, S. Sheng, and L. F. Cranor. Are your participants gaming the system? Screening Mechanical Turk workers. In Proc. ACM CHI, 2010. Google ScholarDigital Library
- D. Florêncio and C. Herley. A large-scale study of web password habits. In Proc. WWW, 2007. Google ScholarDigital Library
- A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In Proc. SOUPS, 2008. Google ScholarDigital Library
- M. Gasser. A random word generator for pronouncable passwords. Technical Report ESD-TR-75-97, The MITRE Corporation, 1975.Google ScholarCross Ref
- C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy, 10(1):28--36, 2012. Google ScholarDigital Library
- J. J. Horton, D. G. Rand, and R. J. Zeckhauser. The online laboratory: Conducting experiments in a real labor market. Experimental Economics, 2010.Google Scholar
- InCommon Federation. Identity assurance profiles bronze and silver v1.1, 2011.Google Scholar
- P. Inglesant and M. A. Sasse. The true cost of unusable password policies: password use in the wild. In Proc. ACM CHI, 2010. Google ScholarDigital Library
- P. G. Ipeirotis. Demographics of Mechanical Turk. Technical Report CeDER-10-01, New York University, 2010.Google Scholar
- M. Jakobsson and R. Akavipat. Rethinking passwords to adapt to constrained keyboards. Proc. IEEE MoST, 2012.Google Scholar
- S. Jeyaraman and U. Topkara. Have the cake and eat it too---Infusing usability into text-password based authentication systems. In Proc. ACSAC, 2005. Google ScholarDigital Library
- M. Keith, B. Shao, and P. Steinbart. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems, 10(2):63--89, 2009.Google ScholarCross Ref
- M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. Int. J. Human-Comp. Studies, 65(1):17--28, 2007. Google ScholarDigital Library
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs, 2012. Under review.Google Scholar
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symp. Security & Privacy, 2012. Google ScholarDigital Library
- A. Kittur, E. H. Chi, and B. Suh. Crowdsourcing user studies with Mechanical Turk. In Proc. ACM CHI, 2008. Google ScholarDigital Library
- S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In Proc. ACM CHI, 2011. Google ScholarDigital Library
- C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Proc. SOUPS, 2006. Google ScholarDigital Library
- S. A. Kurzban. Easily remembered passphrases: a better approach. SIGSAC Rev., 3(2-4):10--21, Sept. 1985. Google ScholarDigital Library
- K.-W. Lee and H.-T. Ewe. Passphrase with semantic noises and a proof on its higher information rate. In Proc. CISW, 2007. Google ScholarDigital Library
- M. Leonhard and V. Venkatakrishnan. A new attack on random pronounceable password generators. In Proc. IEEE EIT, 2007.Google Scholar
- M. D. Leonhard and V. N. Venkatakrishnan. A comparative study of three random password generators. In Proc. IEEE EIT, 2007.Google ScholarCross Ref
- K. Matsuura. Echo back in implementation of passphrase authentication. 2001.Google Scholar
- A. Mehler and S. Skiena. Improving usability through password-corrective hashing. In Proc. SPIRE, 2006. Google ScholarDigital Library
- R. Munroe. xkcd: Password strength. https://www.xkcd.com/936/, 2012.Google Scholar
- NIST. Federal information processing standards publication 181: Automated password generator (APG). Technical report, 1993.Google Scholar
- S. N. Porter. A password extension for improved human factors. Computers and Security, 1(1), 1982.Google Scholar
- R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers, 34(2):163--169, 2002.Google Scholar
- A. G. Reinhold. Diceware. http://world.std.com/~reinhold/diceware.html, 1995--2011.Google Scholar
- S. Riley. Password security: What users know and what they actually do. Usability News, 8(1), Feb. 2006.Google Scholar
- S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec, 2010. Google ScholarDigital Library
- B. Schneier. Schneier on security blog. http://www.schneier.com/blog/archives/2005/06/write_down_your.html, 2005.Google Scholar
- S. Schoen, M. Hofmann, and R. Reynolds. Defending privacy at the U. S. border: A guide for travelers carrying digital devices. Electronic Frontier Foundation, 2011.Google Scholar
- A. Schumacher. Security @ CU---Making secure passwords, 2011.Google Scholar
- C. E. Shannon. A mathematical theory of communication. Bell Syst. Tech. J., 27:379--423, 1949.Google ScholarCross Ref
- R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS, 2010. Google ScholarDigital Library
- A. Sotirakopoulos, I. Muslukov, K. Beznosov, C. Herley, and S. Egelman. Motivating users to choose better passwords through peer pressure. SOUPS Poster, 2011.Google Scholar
- Y. Spector and J. Ginzberg. Pass-sentence---a new approach to computer code. Comput. Secur., 13(2):145--160, Apr. 1994. Google ScholarDigital Library
- J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Comp. & Security, 24(2):124--133, 2005.Google ScholarDigital Library
- M. Toomim, T. Kriplean, C. Pörtner, and J. Landay. Utility of human-computer interactions: toward a science of preference measurement. In Proc. ACM CHI, 2011. Google ScholarDigital Library
- B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security, 2012. To appear.Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS, 2010. Google ScholarDigital Library
- S. Z. Wilson. The protect IU blog---xkcd agrees: Use a passphrase, 2011.Google Scholar
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5), Sept. 2004. Google ScholarDigital Library
- Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS, 2010. Google ScholarDigital Library
- M. Zviran and W. J. Haga. A comparison of password techniques for multilevel authentication mechanisms. The Computer Journal, 36(3):227--237, 1993.Google ScholarCross Ref
- M. Zviran and W. J. Haga. Password security: an empirical study. J. Mgt. Info. Sys., 15(4), 1999. Google ScholarDigital Library
Index Terms
- Correct horse battery staple: exploring the usability of system-assigned passphrases
Recommendations
MASCARA : Systematically Generating Memorable And Secure Passphrases
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications SecurityPasswords are the most common mechanism for authenticating users online. However, studies have shown that users find it difficult to create and manage secure passwords. To that end, passphrases are often recommended as a usable alternative to passwords, ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies
After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
Reviews
William Edward Mihalo
This paper describes research associated with systems security. It will be of interest to system administrators and people monitoring network security for an organization. It will also be of interest to people doing research in systems security. The title of this paper is based on a well-known xkcd comic strip [1]. The point of the paper is that it is very easy to remember a password or passphrase with high entropy. The authors lump together the terms "password" and "passphrase" into the term "secret." Thus, a secret can represent either a password or a passphrase. The authors recruited participants using Amazon's Mechanical Turk (MTurk) crowdsourcing service. They received 55 cents for completing the first part of the study and an additional 70 cents for completing the second part. The participants were at least 18 years old, lived in the US, and had never participated in a previous study on passwords. The authors used the following scenario to assess how users create secrets: "Your main email service provider has been attacked[;] ... because of the attack, your email service provider is also changing its password rules. Instead of choosing your own password, one will be assigned to you." The participants then answered a brief survey about their experiences learning their new secrets. Forty-eight hours after completing the first part of the study, the participants received an email asking them to return for part two. The participants were then asked to log in using their assigned secrets. The authors recorded the success of these logins and whether or not the participants had to click on the "Forgot Password" link. After logging in, the participants completed another survey about how they had remembered their secrets, including whether or not they had written them down. The authors found that the system-assigned passwords were not well liked by users. The vast majority of users opted to store them (write them down in some manner). The authors experimented with secrets composed of words drawn from a variety of dictionaries. They conjecture that they "may be able to create high-entropy [secrets] while selecting dictionaries that meet certain properties." The authors found few differences between three-word and four-word secrets. Three- and four-word secrets with the same entropy are approximately the same length and result in similar typing speeds and error rates. Overall, this is an interesting paper. The authors note the standard methods for solving this password problem: generate a random set of characters that is difficult for someone to memorize, or establish a set of complex rules that requires a person to generate his or her own secret using a combination of letters, numbers, and punctuation marks. Regardless of how such secrets are generated, people are forced to either write them down on paper or use a password management system to store and retrieve them. The authors hint that secrets with three or four words and high entropy may be the best solution for this problem because they are easier to remember. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments