Results 1 - 10
of
55
Guess Again (and again and again): Measuring Password Strength by Simulating Password-Cracking Algorithms
- CMU-CYLAB-11-008
, 2011
"... Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement
in attackers’ capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient resea ..."
Abstract
-
Cited by 55 (10 self)
- Add to MetaCart
(Show Context)
Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement
in attackers’ capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and evaluating password-composition policies using these metrics. In this paper, we describe an analysis of 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to password guessing; (b) the performance of guessing algorithms under different training sets; (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements; and (d) the relationship between guessability, as measured with password-cracking algorithms, and entropy estimates. We believe our findings advance understanding of both password-composition policies and metrics for quantifying password security.
Encountering Stronger Password Requirements: User Attitudes and Behaviors
- In SOUPS ’10: Proceedings of the Sixth Symposium on Usable privacy and Security. ACM
, 2010
"... Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. ..."
Abstract
-
Cited by 48 (9 self)
- Add to MetaCart
Text-based passwords are still the most commonly used authentication mechanism in information systems. We took advantage of a unique opportunity presented by a significant change in the Carnegie Mellon University (CMU) computing services password policy that required users to change their passwords. Through our survey of 470 CMU computer users, we collected data about behaviors and practices related to the use and creation of passwords. We also captured users’ opinions about the new, stronger policy requirements. Our analysis shows that, although most of the users were annoyed by the need to create a complex password, they believe that they are now more secure. Furthermore, we perform an entropy analysis and discuss how our findings relate to NIST † recommendations for creating a password policy. We also examine how users answer specific questions related to their passwords. Our results can be helpful in designing better password policies that consider not only technical aspects of specific policy rules, but also users ’ behavior in response to those rules.
How does your password measure up? The effect of strength meters on password creation
- In Proc. USENIX Security
, 2012
"... To help users create stronger text-based passwords, many web sites have deployed password meters that provide visual feedback on password strength. Although these meters are in wide use, their effects on the security and usability of passwords have not been well studied. We present a 2,931-subject s ..."
Abstract
-
Cited by 28 (10 self)
- Add to MetaCart
(Show Context)
To help users create stronger text-based passwords, many web sites have deployed password meters that provide visual feedback on password strength. Although these meters are in wide use, their effects on the security and usability of passwords have not been well studied. We present a 2,931-subject study of password creation in the presence of 14 password meters. We found that meters with a variety of visual appearances led users to create longer passwords. However, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently. These stringent meters also led participants to include more digits, symbols, and uppercase letters. Password meters also affected the act of password creation. Participants who saw stringent meters spent longer creating their password and were more likely to change their password while entering it, yet they were also more likely to find the password meter annoying. However, the most stringent meter and those without visual bars caused participants to place less importance on satisfying the meter. Participants who saw more lenient meters tried to fill the meter and were averse to choosing passwords a meter deemed “bad ” or “poor. ” Our findings can serve as guidelines for administrators seeking to nudge users towards stronger passwords. 1
Where Do Security Policies Come From?
"... We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteri ..."
Abstract
-
Cited by 27 (3 self)
- Add to MetaCart
(Show Context)
We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength. We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. 1.
Correct horse battery staple: Exploring the usability of system-assigned passphrases
- SYMPOSIUM ON USABLE PRIVACY & SECURITY (SOUPS)
, 2012
"... Users tend to create passwords that are easy to guess, while systemassigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of ..."
Abstract
-
Cited by 25 (5 self)
- Add to MetaCart
(Show Context)
Users tend to create passwords that are easy to guess, while systemassigned passwords tend to be hard to remember. Passphrases, space-delimited sets of natural language words, have been suggested as both secure and usable for decades. In a 1,476-participant online study, we explored the usability of 3- and 4-word systemassigned passphrases in comparison to system-assigned passwords composed of 5 to 6 random characters, and 8-character systemassigned pronounceable passwords. Contrary to expectations, system-assigned passphrases performed similarly to system-assigned passwords of similar entropy across the usability metrics we examined. Passphrases and passwords were forgotten at similar rates, led to similar levels of user difficulty and annoyance, and were both written down by a majority of participants. However, passphrases took significantly longer for participants to enter, and appear to require error-correction to counteract entry mistakes. Passphrase usability did not seem to increase when we shrunk the dictionary from which words were chosen, reduced the number of words in a passphrase, or allowed users to change the order of words.
Measuring password guessability for an entire university
- In ACM CCS
, 2013
"... Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of pass-words used for high-value accou ..."
Abstract
-
Cited by 17 (7 self)
- Add to MetaCart
(Show Context)
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of pass-words used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by sub-jecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make pass-words more than 1.8 times as strong as those of users associated with the business school. In addition, we find that stronger pass-words are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more con-sistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of pass-words leaked from low-value accounts that happen to comply with the same policies.
A diary study of password usage in daily life
, 2010
"... While past work has examined password usage on a specific computer, web site, or organization, there is little work examining overall password usage in daily life. Through a diary study, we examine all usage of passwords, and offer some new findings based on quantitative analyses regarding how often ..."
Abstract
-
Cited by 15 (4 self)
- Add to MetaCart
While past work has examined password usage on a specific computer, web site, or organization, there is little work examining overall password usage in daily life. Through a diary study, we examine all usage of passwords, and offer some new findings based on quantitative analyses regarding how often people log in, where they log in, and how frequently people use foreign computers. Our analysis also confirms or updates existing statistics about password usage patterns. We also discuss some implications for design as well as security education.
CASA: Context-aware scalable authentication
, 2013
"... We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current locatio ..."
Abstract
-
Cited by 13 (0 self)
- Add to MetaCart
We introduce context-aware scalable authentication (CASA) as a way of balancing security and usability for authentication. Our core idea is to choose an appropriate form of active authentication (e.g., typing a PIN) based on the combination of multiple passive factors (e.g., a user’s current location) for authentication. We provide a probabilistic framework for dynamically selecting an active authentication scheme that satisfies a specified security requirement given passive factors. We also present the results of three user studies evaluating the feasibility and users’ receptiveness of our concept. Our results suggest that location data has good potential as a passive factor, and that users can reduce up to 68 % of active authentications when using an implementation of CASA, compared to always using fixed active authentication. Furthermore, our participants, including those who do not using any security mechanisms on their phones, were very positive about CASA and amenable to using it on their phones.
Usability and Security Evaluation of GeoPass: a Geographic Location-Password Scheme
"... We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a“location-password”). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of locationpass ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
We design, implement, and evaluate GeoPass: an interface for digital map-based authentication where a user chooses a place as his or her password (i.e., a“location-password”). We conducted a multi-session in-lab/at-home user study to evaluate the usability, memorability, and security of locationpasswords created with GeoPass. The results of our user study found that 97 % of users were able to remember their location-password over the span of 8-9 days and most without any failed login attempts. Users generally welcomed GeoPass; all of the users who completed the study reported that they would at least consider using GeoPass for some of their accounts. We also perform an in-depth usability and security analysis of location-passwords. Our security analysis includes the effect of information that could be gleaned from social engineering. The results of our security analysis show that location-passwords created with GeoPass can have reasonable security against online attacks, even when accounting for social engineering attacks. Based on our results, we suggest GeoPass would be most appropriate in contexts where logins occur infrequently, e.g., as an alternative to secondary authentication methods used for password resets, or for infrequently used online accounts.
A Stealth Approach to Usable Security: Helping IT Security Managers to Identify Workable Security Solutions
"... Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without consider ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Recent advances in the research of usable security have produced many new security mechanisms that improve usability. However, these mechanisms have not been widely adopted in practice. In most organisations, IT security managers decide on security policies and mechanisms, seemingly without considering usability. IT security managers consider risk reduction and the business impact of information security controls, but not the impact that controls have on users. Rather than trying to remind security managers of usability, we present a new paradigm – a stealth approach which incorporates the impact of security controls on users ’ productivity and willingness to comply into business impact and risk reduction. During two 2-hour sessions, 3 IT security managers discussed with us mock-up tool prototypes that embody these principles, alongside a range of potential usage scenarios (e.g. cloud-based password-cracking attacks and “hotdesking” initiatives). Our tool design process elicits findings to help develop mechanisms to visualise these tradeoffs. Categories and Subject Descriptors H.1.2 [Models and Principles]: Human/Machine Systems – human factors, human information processing. C.2.0 [Computer Communication Networks] General –security and protection
