A Large-Scale Evaluation of High-Impact Password Strength Meters

Zhang

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

et al. 2016

263

221

While trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal information such as one sister password leaked from her another account and some personally identifiable information (PII). A key challenge for targeted online guessing is to choose the most effective password candidates, while the number of guess attempts allowed by a server's lockout or throttling mechanisms is typically very small.We propose TarGuess, a framework that systematically characterizes typical targeted guessing scenarios with seven sound mathematical models, each of which is based on varied kinds of data available to an attacker. These models allow us to design novel and efficient guessing algorithms. Extensive experiments on 10 large real-world password datasets show the effectiveness of TarGuess. Particularly, TarGuess I∼IV capture the four most representative scenarios and within 100 guesses: (1) TarGuess-I outperforms its foremost counterpart by 142% against security-savvy users and by 46% against normal users; (2) TarGuess-II outperforms its foremost counterpart by 169% on security-savvy users and by 72% against normal users; and (3) Both TarGuess-III and IV gain success rates over 73% against normal users and over 32% against security-savvy users. TarGuess-III and IV, for the first time, address the issue of cross-site online guessing when given the victim's one sister password and some PII.

Section: Evaluation Resultsmentioning

confidence: 99%

Targeted Online Password Guessing

Zhang

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

et al. 2016

263

221

Human Aspects of Information Security, Privacy and Trust

“…This is also echoed by Loge et al's work on a PPC for Android unlock patterns [14], in which they observed that the password strength could be influenced by individual features such as age and gender. (2) to highlight the complexity of password security by externalizing inconsistencies between different PPCs and more advanced attacks on passwords; (3) to engage users actively so that the process of learning is enjoyable, (4) to produce an open system that can be easily executed and customized by users on different platforms. To achieve those design goals, we decided to follow some well-established design principles to design and implement PSV.…”

Section: Related Workmentioning

confidence: 99%

“…Insights learned from research work on PPCs and PSMs [4,5,[25][26][27] have suggested that educating users about password security and attacks is an important aspect to make PPCs more effective, but very few tools have been developed and evaluated for this purpose.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Abstract. This paper presents the Password Security Visualizer (PSV), an interactive visualization system specifically designed for password security education. PSV can be seen as a reconfigurable "box" containing different proactive password checkers (PPCs) and visualizers of password security information, allowing it to be used like a "many in one" or "hybrid" PPC. PSV can provide many new features that do not exist in traditional PPCs, thus having a greater potential to achieve its goals of educating users. Using purely client-side Web-based technologies, we implemented a prototype of PSV as an open-source software tool on a 2-D animated canvas. To evaluate the actual performance of our implemented PSV prototype against traditional PPCs, we conducted a semistructured interview involving 20 human participants. Our qualitative analysis of the results showed that PSV was considered the most informative and recommended by most participants as a good educational tool. To the best of our knowledge, PSV is the first system combining different PPCs together for user education, and the user study is the first of this kind on comparing educational effectiveness of different PPCs (and PPC-like password security tools such as PSV).

“…For example, it is widely acknowledged that the password strength meter, which is deployed to help users generate stronger passwords, operates as a black-box and has inconsistent design across multiple websites. As a result, many users are confused about its implications (Carnavalet and Mannan 2015). In addition, users' perception of information security has been shown to mismatch reality (Ur et al 2016).…”

Section: Introductionmentioning

confidence: 99%

Enhancing security behaviour by supporting the user

Furnell

Khern-am-nuai

Esmael

et al. 2018

Computers & Security

Although the role of users in maintaining security is regularly emphasized, this is often not matched by an accompanying level of support. Indeed, users are frequently given insufficient guidance to enable effective security choices and decisions, which can lead to perceived bad behaviour as a consequence. This paper discusses the forms of support that are possible, and seeks to investigate the effect of doing so in practice. Specifically, it presents findings from two experimental studies that investigate how variations in password meter usage and feedback can positively affect the resulting password choices. The first experiment examines the difference between passwords selected by unguided users versus those receiving guidance and alternative forms of feedback (ranging from a traditional password meter through to an emoji-based approach). The findings reveal a 30% drop in weak password choices between unguided and guided usage, with the varying meters then delivering up to 10% further improvement. The second experiment then considers variations in the form of feedback message that users may receive in addition to a meter-based rating. It is shown that by providing richer information (e.g. based upon the time required to crack a password, its relative ranking against other choices, or the probability of it being cracked), users are more motivated towards making strong choices and changing initially weak ones. While the specifics of the experimental findings were focused upon passwords, the discussion also considers the benefits that may be gained by applying the same principles of nudging and guidance to other areas of security in which users are often found to have weak behaviours.