The security of modern password expiration: An algorithmic framework and empirical analysis

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 176-186

  Zhang, Yinqian ^a   Monrose, Fabian ^a   Reiter, Michael K ^a  

^a UNIVERSITY OF NORTH CAROLINA   (United States)

Author keywords

Password expiration; Passwords; User authentication

Indexed keywords

ALGORITHMIC FRAMEWORK; DATA SETS; EFFICIENT ALGORITHM; EMPIRICAL ANALYSIS; OPTIMAL SEARCH STRATEGY; PASSWORD EXPIRATION; PASSWORDS; USER AUTHENTICATION;

ALGORITHMS;

AUTHENTICATION;

EID: 78650011800     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866328     Document Type: Conference Paper

References (28)

1. A. Adams and M. A. Sasse. Users are not the enemy. Comm. ACM, 42(12):40-46, December 1999.
2. S. Alexander, Jr. In defense of password expiration. Post to LOPSA blog, April 2006. http://lopsa.org/node/295 as of March 28, 2010.
3. S. M. Bellovin. Unconventional wisdom. IEEE Security & Privacy, 4(1), January-February 2006.
4. M. Bishop. Proactive password checking. In In Proc. 4th Workshop on Computer Security Incident Handling, 1992.
5. S. L. Brand and J. Makey. Department of Defense password management guideline. CSC-STD-002-85, Department of Defense Computer Security Center, April 1985.
6. W. E. Burr, D. F. Dodson, W. T. Polk, P. J. Bond, and A. L. Bement. NIST special publication 800-63, version 1.0.1, 2004.
7. S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In 16th ACM Conference on Computer and Communications Security, pages 500-511, November 2009.
8. G. Cormode and S. Muthukrishnan. The string edit distance matching problem with moves. ACM Transactions on Algorithms, 3:1-19, February 2007.
9. A. M. De Alvare. How crackers crack passwords or what passwords to avoid. In Second Security Workshop Program, pages 103-112. USENIX, August 1990.
10. A. M. De Alvare and E. E. Schultz, Jr. A framework for password selection. In UNIX Security Workshop Proceedings, pages 8-9. USENIX, August 1988.
11. U. Feige, L. Lovász, and P. Tetali. Approximating min sum set cover. Algorithmica, 40:219-234, 2004.
12. D. Florêncio and C. Herley. A large-scale study of web password habits. In WWW 2007, May 2007.
13. A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving text passwords through persuasion. In SOUPS, 2008.
14. D. V. Klein. Foiling the cracker: A survey of, and improvements to, password security. In Second Security Workshop Program, pages 5-14. USENIX, August 1990.
15. C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In SOUPS, pages 67-78, July 2006.
16. B. Lu and M. B. Twidale. Managing multiple passwords and multiple logins: MiFA minimal-feedback hints for remote authentication. In IFIP INTERACT 2003 Conference, pages 821-824, 2003.
17. N. Massad and J. Beachboard. A taxonomy of service failures in electronic retailing. In 41st Hawaii International Conference on System Sciences, 2008.
18. R. Morris and K. Thompson. Password security: A case history. Comm. ACM, 22:594-597, November 1979.
19. A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In 12th ACM Conference on Computer and Communications Security, pages 364-372, November 2005.
20. P. Oechslin. Making a faster cryptanalytic time-memory trade-off. In Advances in Cryptology - CRYPTO 2003, pages 617-630, August 2003.
21. B. Patterson. Letter to Comm. ACM. Comm. ACM, 43(4):11-12, April 2000.
22. R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: User attitudes and behaviors. In 6th Symposium on Usable Privacy and Security, July 2010.
23. E. H. Spafford. Opus: Preventing weak password choices. Computers & Security, 11:273-278, 1991.
24. G. Spafford. Security myths and passwords. Post to CERIAS blog, April 2006. http://www.cerias.purdue.edu/ site/blog/post/password-change-myths/ as of March 28, 2010.
25. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Computers & Security, 24(2):124-133, 2005.
26. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In 2009 IEEE Symposium on Security and Privacy, pages 391-405, May 2009.
27. J. Yan. A note on proactive password checking. In ACM New Security Paradigms Workshop, pages 127-135, 2001.
28. J. Zhang, X. Luo, S. Akkaladevi, and J. Ziegelmayer. Improving multiple-password recall: an empirical study. European Journal of Information Systems, pages 1-12, 2009.