论文信息 - Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition

Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition

In this paper, we investigate the evolutionary change of user-selected passwords. We conducted one-on-one interviews and analyzed the complexity and the diversity of users’ passwords using different analysis tools. By comparing their first-ever created passwords to several of their currently used passwords (e.g. most secure, policy-based), we were able to trace password reuse, password changes and influencing factors on the evolutionary process. Our approach allowed for analyzing security aspects without actually knowing the clear-text passwords. The results reveal that currently used passwords are significantly longer than the participants’ first passwords and that most participants are aware of how to compose strong passwords. However, most users are still using significantly weaker passwords for most services. These weak passwords, often with roots in the very first passwords the users have chosen, apparently survive very well, despite password policies and password meters.

Heinrich Hußmann | Alexander De Luca | Emanuel von Zezschwitz

[1] Lujo Bauer,et al. Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[2] Joseph Bonneau,et al. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[3] Gavriel Salvendy,et al. Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[4] Sudhir Aggarwal,et al. Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[5] M. Angela Sasse,et al. Making Passwords Secure and Usable , 1997, BCS HCI.

[6] Barbara S. Chaparro,et al. Password Security: What Users Know and What They Actually Do , 2006 .

[7] M. Angela Sasse,et al. Users are not the enemy , 1999, CACM.

[8] Lujo Bauer,et al. Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.