Do Differences in Password Policies Prevent Password Reuse?

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-world password policies prevents password reuse. We found that this is not the case: we are the first to show that a single password could hypothetically fulfill 99% of the policies under consideration. This is especially problematic because password reuse exposes users to similar risks as weak passwords. We thus propose a new approach for policies that focuses on password reuse and respects other websites to determine if a password should be accepted. This re-design takes current user behavior into account and potentially boosts the usability and security of password-based authentication.

[1]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[2]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[3]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[4]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[5]  Johannes Braun,et al.  Password Policy Markup Language , 2016, Open Identity Summit.

[6]  Richard Shay,et al.  Creating Usable Policies for Stronger Passwords with MTurk , 2015 .

[7]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[8]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[9]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[10]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[11]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[12]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[13]  Ping Wang,et al.  The Emperor's New Password Creation Policies , 2015, IACR Cryptol. ePrint Arch..

[14]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[15]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[16]  Ray A. Perlner,et al.  SP 800-63-1. Electronic Authentication Guideline , 2011 .

[17]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[18]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[19]  Wolter Pieters,et al.  "If you were attacked, you'd be sorry": Counterfactuals as security arguments , 2015, NSPW.

[20]  Ping Wang,et al.  The Emperor's New Password Creation Policies: An Evaluation of Leading Web Services and the Effect of Role in Resisting Against Online Guessing , 2015, ESORICS.

[21]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .