An Empirical Analysis on the Usability and Security of Passwords

Security and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.

[1]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[2]  M Gasser,et al.  A Random Word Generator for Pronounceable Passwords , 1975 .

[3]  R. Ganesan,et al.  A New Attack on Random Pronounceable Password Generators Ganesan and Davies A New Attack on Random Pronounceable Password Generators , 1994 .

[4]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[5]  Wm. Arthur Conklin,et al.  Password-based authentication: a system perspective , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[6]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[7]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  R.V. Yampolskiy Analyzing User Password Selection Behavior for Reduction of Password Space , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[9]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Stanley A. Kurzban Easily remembered passphrases: a better approach , 1985, SGSC.

[11]  Antti Oulasvirta,et al.  Forgetting of Passwords: Ecological Theory and Data , 2018, USENIX Security Symposium.

[12]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[13]  Benjamin B. M. Shao,et al.  The usability of passphrases for authentication: An empirical field study , 2007, Int. J. Hum. Comput. Stud..

[14]  Ashwini Rao,et al.  Effect of grammar on security of long passwords , 2013, CODASPY '13.

[15]  Gang Wang,et al.  The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services , 2018, CODASPY.

[16]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[17]  Heinrich Hußmann,et al.  Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition , 2013, INTERACT.

[18]  Charles Dinkel,et al.  Automated Password Generator (APG) , 1993 .

[19]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[20]  Rick Wash,et al.  Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites , 2016, SOUPS.

[21]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[22]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[23]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[24]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[25]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[26]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[27]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[28]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[29]  Blase Ur,et al.  Exploring the Usability of Pronounceable Passwords , 2014 .

[30]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[31]  Klara Nahrstedt,et al.  Personalized password guessing: a new security threat , 2014, HotSoS '14.