Telepathwords: Preventing Weak Passwords by Reading Users' Minds

To discourage the creation of predictable passwords, vulnerable to guessing attacks, we present Telepathwords. As a user creates a password, Telepathwords makes realtime predictions for the next character that user will type. While the concept is simple, making accurate predictions requires efficient algorithms to model users' behavior and to employ already-typed characters to predict subsequent ones. We first made the Telepathwords technology available to the public in late 2013 and have since served hundreds of thousands of user sessions. We ran a human-subjects experiment to compare password policies that use Telepathwords to those that rely on composition rules, comparing participants' passwords using two different password-evaluation algorithms. We found that participants create far fewer weak passwords using the Telepathwords-based policies than policies based only on character composition. Participants using Telepathwords were also more likely to report that the password feedback was helpful.

[1]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[2]  M. Jakobsson Rethinking Passwords to Adapt to Constrained Keyboards , 2011 .

[3]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[5]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[6]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[7]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[8]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[9]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[10]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[12]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Dan Boneh,et al.  Symmetric Cryptography in Javascript , 2009, 2009 Annual Computer Security Applications Conference.

[14]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[15]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[16]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[17]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[18]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[19]  Sriram Subramanian,et al.  Talking about tactile experiences , 2013, CHI.

[20]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[21]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[22]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[23]  Giuseppe Ottaviano,et al.  Space-efficient data structures for Top-k completion , 2013, WWW '13.

[24]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[25]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.