The Password Doesn ’ t Fall Far : How Service Influences Password Choice

Users often create passwords based on familiar words or things they like, using these passwords across many web services. But does the type of web service influence how users construct their password? In this paper, we observe how and how often passwords are specific to the services for which they were created. We analyze leaked passwords from five web services. We find that passwords from each service reflect the category of the service, often by including the name or semantic theme of the service. Through a qualitative analysis of passwords, we further identify unique characteristics of the passwords created for each service. Service-specific passwords can reveal other shared interests or demographics of that service’s userbase. This contextual perspective on password creation suggests improvements for site-specific blacklists and password-strength meters.

[1]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[2]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[3]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[4]  Blase Ur,et al.  Password Creation in the Presence of Blacklists , 2017 .

[5]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[6]  Claude Castelluccia,et al.  When Privacy meets Security: Leveraging personal information for password cracking , 2013, ArXiv.

[7]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[8]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[9]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[10]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[11]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[12]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[13]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[14]  Blase Ur,et al.  Diversify to Survive: Making Passwords Stronger with Adaptive Policies , 2017, SOUPS.

[15]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[16]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[17]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[18]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[19]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[20]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[21]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.