Measuring password guessability for an entire university

Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.

[1]  Joseph A. Cazier,et al.  An Empirical Investigation: Health Care Employee Passwords and Their Crack Times in Relationship to HIPAA Security Standards , 2007, Int. J. Heal. Inf. Syst. Informatics.

[2]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[3]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[4]  Deborah S. Carstens,et al.  Applying Chunking Theory in Organizational Password Guidelines , 2006 .

[5]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[6]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[7]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Naveen Kumar PASSWORD IN PRACTICE: AN USABILITY SURVEY , 2011 .

[9]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[10]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[11]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[13]  Joseph A. Cazier,et al.  Analyzing the Vulnerability of U.S. Hospitals to Social Engineering Attacks: How Many of Your Employees Would Share Their Password? , 2008, Int. J. Inf. Secur. Priv..

[14]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[15]  Eric R. Ziegel,et al.  Probability and Statistics for Engineering and the Sciences , 2004, Technometrics.

[16]  D. Harrington A class of rank test procedures for censored survival data , 1982 .

[17]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[18]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[19]  Darren Antwon Sawyer The Characteristics of User-Generated Passwords , 1990 .

[20]  Joseph Bonneau Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[21]  Giancarlo Ruffo,et al.  Proactive password checking with decision trees , 1997, CCS '97.

[22]  M. S. Vijaya,et al.  A Novel Approach for Password Strength Analysis through Support Vector Machine , 2009 .

[23]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[24]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[25]  G Suganya,et al.  Proactive Password Strength Analyzer Using Filters and Machine Learning Techniques , 2010 .

[26]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[27]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[28]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[29]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[30]  John Campbell,et al.  User Behaviours Associated with Password Security and Management , 2006, Australas. J. Inf. Syst..

[31]  J. Peto,et al.  Asymptotically Efficient Rank Invariant Test Procedures , 1972 .

[32]  Arthur E. Oldehoeft,et al.  A survey of password mechanisms: Weaknesses and potential improvements. Part 2 , 1989, Comput. Secur..

[33]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[34]  A. Raftery Bayesian Model Selection in Social Research , 1995 .

[35]  Martin M. A. Devillers Analyzing Password Strength , 2010 .

[36]  L JobuschDavid,et al.  A survey of password mechanisms , 1989 .

[37]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[38]  Janice Y. Tsai,et al.  Soups 2006 , 2006, IEEE Security & Privacy Magazine.

[39]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[40]  Debashis Kushary,et al.  Bootstrap Methods and Their Application , 2000, Technometrics.

[41]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[42]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[43]  Benjamin B. M. Shao,et al.  A Behavioral Analysis of Passphrase Design and Effectiveness , 2009, J. Assoc. Inf. Syst..

[44]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[45]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[46]  D.,et al.  Regression Models and Life-Tables , 2022 .

[47]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[48]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[49]  Nils Kalstad Svendsen,et al.  The Security and Memorability of Passwords Generated by Using an Association Element and a Personal Factor , 2011, NordSec.

[50]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[51]  Jay L. Devore Probability and statistics for engineering and the science / Jay L. Devore , 1982 .