Supporting Password-Security Decisions with Data

Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers or make other decisions (e.g., reusing the same password across accounts) that harm their security. In this thesis, I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user’s candidate password. I first quantify the impact on password security and usability of showing users different passwordstrength meters that score passwords using basic heuristics. I find in a 2,931-participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords. I also examine the relationship between users’ perceptions of password security and passwords’ actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong. Finally, I integrate these insights into an open-source password-strength meter that gives users data-driven feedback about their specific password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study. Thesis statement: The objective of this thesis is to demonstrate how integrating data-driven insights about how users create and how attackers guess passwords into a tool that presents real-time feedback can equip users to make better passwords.

[1]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[2]  Martin M. A. Devillers Analyzing Password Strength , 2010 .

[3]  Jega Anish Dev,et al.  Usage of botnets for high speed MD5 hash cracking , 2013, Third International Conference on Innovative Computing Technology (INTECH 2013).

[4]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[5]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[6]  Joseph A. Cazier,et al.  An Empirical Investigation: Health Care Employee Passwords and Their Crack Times in Relationship to HIPAA Security Standards , 2007, Int. J. Heal. Inf. Syst. Informatics.

[7]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[8]  Gerhard Saeltzer Little Brothers are watching you , 2010, Datenschutz und Datensicherheit - DuD.

[9]  Erik Wästlund,et al.  Usable Transparency with the Data Track: A Tool for Visualizing Data Disclosures , 2015, CHI Extended Abstracts.

[10]  L. Jean Camp,et al.  Mental Models of Computer Security Risks , 2007, WEIS.

[11]  Saranga Komanduri,et al.  Modeling the Adversary to Evaluate Password Strength With Limited Samples , 2016 .

[12]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[13]  Kirstie Hawkey,et al.  What makes users refuse web single sign-on?: an empirical investigation of OpenID , 2011, SOUPS.

[14]  Sanford Weisberg,et al.  An R Companion to Applied Regression , 2010 .

[15]  Heinrich Hußmann,et al.  Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition , 2013, INTERACT.

[16]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[17]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[18]  Joseph Bonneau,et al.  Towards Reliable Storage of 56-bit Secrets in Human Memory , 2014, USENIX Security Symposium.

[19]  Maurizio Filippone,et al.  Monte Carlo Strength Evaluation: Fast and Reliable Password Checking , 2015, CCS.

[20]  Elizabeth Stobert,et al.  Expert Password Management , 2015, PASSWORDS.

[21]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[22]  Alain Forget,et al.  Improving text passwords through persuasion , 2008, SOUPS '08.

[23]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[24]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[25]  Ashwini Rao,et al.  Effect of grammar on security of long passwords , 2013, CODASPY '13.

[26]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[27]  Jeff Yan,et al.  A note on proactive password checking , 2001, NSPW '01.

[28]  Jun Ho Huh,et al.  Surpass: System-initiated User-replaceable Passwords , 2015, CCS.

[29]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[30]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[31]  Blase Ur,et al.  Do Users' Perceptions of Password Security Match Reality? , 2016, CHI.

[32]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[33]  Melanie Volkamer,et al.  Mental Models - General Introduction and Review of Their Application to Human-Centred Security , 2013, Number Theory and Cryptography.

[34]  Paul C. van Oorschot,et al.  Quantifying the security advantage of password expiration policies , 2015, Des. Codes Cryptogr..

[35]  Joseph Bonneau Statistical Metrics for Individual Password Strength , 2012, Security Protocols Workshop.

[36]  Daniel Lowe Wheeler zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[37]  F. Lai,et al.  PASSWORD CRACKING BASED ON LEARNED PATTERNS FROM DISCLOSED PASSWORDS , 2012 .

[38]  Detmar W. Straub,et al.  Enhancing Password Security through Interactive Fear Appeals: A Web-Based Field Experiment , 2013, 2013 46th Hawaii International Conference on System Sciences.

[39]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[40]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[41]  Joseph Bonneau,et al.  Linguistic Properties of Multi-word Passphrases , 2012, Financial Cryptography Workshops.

[42]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[43]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[44]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[45]  James A. Landay,et al.  Utility of human-computer interactions: toward a science of preference measurement , 2011, CHI.

[46]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[47]  Hilary Johnson,et al.  Rational security: Modelling everyday password use , 2012, Int. J. Hum. Comput. Stud..

[48]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[49]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[50]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[51]  Blase Ur,et al.  A Large-Scale Evaluation of U.S. Financial Institutions’ Standardized Privacy Notices , 2016 .

[52]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[53]  Blase Ur,et al.  Biometric authentication on iPhone and Android: Usability, perceptions, and influences on adoption , 2015 .

[54]  Roger Tourangeau,et al.  The impact of progress indicators on task completion , 2010, Interact. Comput..

[55]  Y. Benjamini,et al.  Controlling the false discovery rate: a practical and powerful approach to multiple testing , 1995 .

[56]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[57]  Julie Thorpe,et al.  On Semantic Patterns of Passwords and their Security Impact , 2014, NDSS.

[58]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[59]  Robert Biddle,et al.  Password advice shouldn't be boring: Visualizing password guessing attacks , 2013, 2013 APWG eCrime Researchers Summit.

[60]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[61]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[62]  Panagiotis G. Ipeirotis Demographics of Mechanical Turk , 2010 .

[63]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[64]  Craig E. Wills,et al.  A Personalized Approach to Web Privacy - Awareness, Attitudes and Actions , 2011, Inf. Manag. Comput. Secur..

[65]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[66]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[67]  G. Loewenstein,et al.  The Economist as Therapist: Methodological Ramifications of 'Light' Paternalism , 2007 .

[68]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[69]  Heinrich Hußmann,et al.  I Feel Like I'm Taking Selfies All Day!: Towards Understanding Biometric Authentication on Smartphones , 2015, CHI.

[70]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[71]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[72]  Blase Ur,et al.  Designing Password Policies for Strength and Usability , 2016, ACM Trans. Inf. Syst. Secur..

[73]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[74]  Antti Oulasvirta,et al.  Text Entry Method Affects Password Security , 2014, ArXiv.

[75]  Frank Stajano,et al.  Passwords and the evolution of imperfect authentication , 2015, Commun. ACM.

[76]  Matthew K. Wright,et al.  A study of user password strategy for multiple accounts , 2013, CODASPY '13.

[77]  Sudhir Aggarwal,et al.  Next Gen PCFG Password Cracking , 2015, IEEE Transactions on Information Forensics and Security.

[78]  Blase Ur,et al.  Correct horse battery staple: exploring the usability of system-assigned passphrases , 2012, SOUPS.

[79]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[80]  Rui Wang,et al.  Towards social user profiling: unified and discriminative influence model for inferring home locations , 2012, KDD.

[81]  Eric Medvet,et al.  Visual-similarity-based phishing detection , 2008, SecureComm.

[82]  Adam J. Berinsky,et al.  Evaluating Online Labor Markets for Experimental Research: Amazon.com's Mechanical Turk , 2012, Political Analysis.

[83]  Lorrie Faith Cranor,et al.  An analysis of P3P-enabled web sites among top-20 search results , 2006, ICEC '06.

[84]  Blase Ur,et al.  Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[85]  Naveen Kumar PASSWORD IN PRACTICE: AN USABILITY SURVEY , 2011 .

[86]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[87]  Matthew Smith,et al.  On the ecological validity of a password study , 2013, SOUPS.

[88]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[89]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[90]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[91]  Gerhard Paass,et al.  Improved Phishing Detection using Model-Based Features , 2008, CEAS.

[92]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[93]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[94]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[95]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[96]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[97]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.

[98]  Giancarlo Ruffo,et al.  Proactive password checking with decision trees , 1997, CCS '97.

[99]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[100]  Julie Thorpe,et al.  Visualizing semantics in passwords: the role of dates , 2012, VizSec '12.

[101]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[102]  Hilary Johnson,et al.  Using and managing multiple passwords: A week to a view , 2011, Interact. Comput..

[103]  Bill Tomlinson,et al.  Who are the crowdworkers?: shifting demographics in mechanical turk , 2010, CHI Extended Abstracts.

[104]  Paul C. van Oorschot,et al.  Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts , 2014, USENIX Security Symposium.

[105]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[106]  Rick Wash,et al.  Stories as informal lessons about security , 2012, SOUPS.

[107]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[108]  Serge Egelman,et al.  Behavior Ever Follows Intention?: A Validation of the Security Behavior Intentions Scale (SeBIS) , 2016, CHI.

[109]  John Campbell,et al.  User Behaviours Associated with Password Security and Management , 2006, Australas. J. Inf. Syst..

[110]  Ninghui Li,et al.  A Study of Probabilistic Password Models , 2014, 2014 IEEE Symposium on Security and Privacy.

[111]  Claude Castelluccia,et al.  OMEN: Faster Password Guessing Using an Ordered Markov Enumerator , 2015, ESSoS.

[112]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[113]  Woodrow Hartzog,et al.  Should the FTC Kill the Password? The Case for Better Authentication , 2015 .

[114]  Sunny Consolvo,et al.  The Wi-Fi privacy ticker: improving awareness & control of personal information exposure on Wi-Fi , 2010, UbiComp.

[115]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[116]  Markus Jakobsson,et al.  The Benefits of Understanding Passwords , 2012, HotSec.

[117]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[118]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[119]  Alexandre Padilla Review of Richard H. Thaler and Cass R. Sunstein, Nudge: Improving decisions about health, wealth, and happiness , 2009 .

[120]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[121]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[122]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[123]  Srdjan Capkun,et al.  Influence of user perception, security needs, and social factors on device pairing method choices , 2010, SOUPS.

[124]  Heinrich Hußmann,et al.  Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance , 2014, NordiCHI.

[125]  Claude Castelluccia,et al.  When Privacy meets Security: Leveraging personal information for password cracking , 2013, ArXiv.

[126]  Shiva Houshmand Yazdi Analyzing Password Strength and Efficient Password Cracking , 2011 .

[127]  Adam J. Aviv,et al.  Understanding visual perceptions of usability and security of Android's graphical password pattern , 2014, ACSAC '14.

[128]  Suku Nair,et al.  A comparison of machine learning techniques for phishing detection , 2007, eCrime '07.

[129]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[130]  Panagiotis G. Ipeirotis,et al.  Quality management on Amazon Mechanical Turk , 2010, HCOMP '10.

[131]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[132]  Lorrie Faith Cranor,et al.  Telepathwords: Preventing Weak Passwords by Reading Users' Minds , 2014, USENIX Security Symposium.

[133]  Wouter Joosen,et al.  Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right , 2015, CODASPY.

[134]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .