An Empirical Study on the Web Password Strength in Greece

Text passwords are commonly used for user authentication in the web. There is lately a strong interest for case studies on the password habits of populations with different cultures and/or languages. In this paper, we augment the existing literature with a case study of Greek web sites. We analyze clear text and encrypted passwords for almost 19,000 accounts and we draw conclusions on similarities with and oppositions to alike empirical studies. Our findings indicate that a significant percentage of users chooses easily-guessed passwords. The average password length is less than 7 characters and most passwords contain only letters and numbers. However, there are users that prefer passwords containing characters from the Greek alphabet. Such passwords are much harder to guess and our proposal is to encourage their usage.

[1]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[2]  Pietro Michiardi,et al.  Measuring Password Strength: An Empirical Analysis , 2009, ArXiv.

[3]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[4]  Peter Hoonakker,et al.  Password Authentication from a Human Factors Perspective: Results of a Survey among End-Users , 2009 .

[5]  Barbara S. Chaparro,et al.  Password Security: What Users Know and What They Actually Do , 2006 .

[6]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[7]  Artemios G. Voyiatzis,et al.  When Security Meets Usability: A User-Centric Approach on a Crossroads Priority Problem , 2010, 2010 14th Panhellenic Conference on Informatics.

[8]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[9]  Alan S. Brown,et al.  Generating and remembering passwords , 2004 .

[10]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[11]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[12]  Mehmet Emin Dalkilic,et al.  The weak and the strong password preferences: a case study on turkish users , 2010, SIN.

[13]  Clark D. Thomborson,et al.  Passwords and Perceptions , 2009, AISC.

[14]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[15]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[16]  Eugene H. Spafford,et al.  Observing Reusable Password Choices , 1992 .

[17]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[18]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[19]  David Malone,et al.  Investigating the distribution of password choices , 2011, WWW.

[20]  Artemios G. Voyiatzis,et al.  On the necessity of user-friendly CAPTCHA , 2011, CHI.

[21]  Xin Luo,et al.  Improving multiple-password recall: an empirical study , 2009, Eur. J. Inf. Syst..

[22]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[23]  Bruce L. Riddle,et al.  Passwords in use in a university timesharing environment , 1989, Comput. Secur..

[24]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.