The Benefits of Understanding Passwords

Jakobsson, Markus; Dhiman, Mayank

doi:10.1007/978-1-4614-4878-5_2

Cited by 39 publications

(25 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If a password contains uppercase letters, digits, or symbols, they are often in predictable locations [3]. Furthermore, most character substitutions (e.g., replacing "e" with "3") found in passwords are predictable [21], [41]. The intuition behind blacklisting the N most common passwords is that users who otherwise would have chosen one of these common passwords will instead choose from a larger space of potential passwords, rather than one of the N next-mostcommon passwords.…”

Section: Background and Related Workmentioning

confidence: 99%

Password Creation in the Presence of Blacklists

Habib¹,

Colnago²,

Melicher³

et al. 2017

Proceedings 2017 Workshop on Usable Security

View full text Add to dashboard Cite

Attackers often target common passwords in guessing attacks. Some website administrators have reacted to this by making these passwords ineligible for use on their site. While past research has shown that adding a blacklist to a password policy generally makes resulting passwords harder to guess, it is important to understand whether users go on to create significantly stronger passwords, or ones that are only marginally better. In this paper we investigate how users change the composition and strength of their passwords after a blacklisted password attempt. Additionally, we analyze the impact on sentiment toward password creation that occurs when a user attempts to create a blacklisted password. Our examination utilizes data collected from a previous online study evaluating various design features of a password meter through a password creation task. We analyzed 2,280 password creation sessions and found that participants who reused even a modified version of a blacklisted attempt during the task ultimately created significantly weaker passwords than those who did not attempt to use a blacklisted password. However, our results indicate that text feedback provided by a password meter mitigated this effect.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Password Creation in the Presence of Blacklists

Habib¹,

Colnago²,

Melicher³

et al. 2017

Proceedings 2017 Workshop on Usable Security

View full text Add to dashboard Cite

show abstract

“…Many researchers use password corpora collected from various security leaks [14,24,26,35,53,55]. These corpora tend to be very large (tens of thousands to millions), and they represent in-use passwords selected by users.…”

Section: Password Corporamentioning

confidence: 99%

“…Prior password studies all have one or more of the following drawbacks: very small data sets [36], data from experimental studies rather than from deployed authentication systems [31], no access to plaintext passwords [3], self-reported password information [47], leaked data of questionable validity, or accounts of minimal value [26,53]. As a result, the important question of whether the results apply to real, high-value passwords has remained open.…”

Section: Introductionmentioning

confidence: 99%

Measuring password guessability for an entire university

Mazurek

Komanduri

Vidas

et al. 2013

Proceedings of the 2013 ACM SIGSAC Conference on Computer &Amp; Communications Security - CCS '13

161

View full text Add to dashboard Cite

Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood.We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.8 times as strong as those of users associated with the business school. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them.We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.

show abstract

“…Weak passwords [15] are a major cause of data and security breaches. SplashData reveals each year its annual 25 Worst Passwords of the Year list 2 .…”

Section: Related Workmentioning

confidence: 99%

SmartAuth

Preuveneers

Joosen

2015

Proceedings of the 30th Annual ACM Symposium on Applied Computing

View full text Add to dashboard Cite

As recent incidents have shown, weak passwords are a severe security risk for authenticating users and granting access to protected resources. Additionally, strong passwords score low on usability, especially on mobile devices. In this work, we present SmartAuth, a scalable context-aware authentication framework built on top of OpenAM, a state-of-practice identity and access management suite. It uses adaptive and dynamic context fingerprinting based on Hoeffding trees to continuously ascertain whether a user's identity is authentic or not, and it respects privacy preferences by adopting consent-driven use of context information. We assess our approach from both an offensive and defensive security perspective. Our results show that dynamic context fingerprinting has good potential for a zero-interaction authentication scheme, with a minimal performance overhead compared to traditional authentication schemes.

show abstract

The Benefits of Understanding Passwords

Cited by 39 publications

References 14 publications

Password Creation in the Presence of Blacklists

Password Creation in the Presence of Blacklists

Measuring password guessability for an entire university

SmartAuth

Contact Info

Product

Resources

About