Can long passwords be secure and usable?

Conference on Human Factors in Computing Systems - Proceedings

Volumn , Issue , 2014, Pages 2927-2936

  Shay, Richard ^a   Komanduri, Saranga ^a   Durity, Adam L ^a   Huh, Phillip Seyoung ^a   Mazurek, Michelle L ^a   Segreti, Sean M ^a   Ur, Blase ^a   Bauer, Lujo ^a   Christin, Nicolas ^a   Cranor, Lorrie Faith ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Authentication; Password composition policies; Passwords; Security policy; Usable security

Indexed keywords

CRACKS; HUMAN ENGINEERING;

ON-LINE EXPERIMENTS; PASSWORDS; RECENT RESEARCHES; SECURITY POLICY; STRONG PASSWORD; SYSTEM ADMINISTRATORS; USABLE SECURITY;

AUTHENTICATION;

EID: 84900451653     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2556288.2557377     Document Type: Conference Paper

References (35)

1. Adams, A., Sasse, M. A., and Lunt, P. Making passwords secure and usable. In Proc. HCI (1997)
2. Biddle, R., Chiasson, S., and van Oorschot, P. C. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44, 4 (2012), 19
3. Bishop, M., and Klein, D. V. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233-249
4. Bonneau, J. The Gawker hack: How a million passwords were lost, 2010. http://www. lightbluetouchpaper. org/2010/12/15/the-gawker-hack-how-a-million- passwordswere-lost/
5. Bonneau, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE SP (2012)
6. Bonneau, J., Herley, C., van Oorschot, P. C., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proc. IEEE SP (2012)
7. Brantz, T., and Franz, A. The Google Web 1T 5-gram corpus. Tech. Rep. LDC2006T13, Linguistic Data Consortium, 2006
8. Bright, P. Anonymous speaks: The inside story of the HBGary hack. Ars Technica, February 2011
9. Burr, W. E., Dodson, D. F., Newton, E. M., Perlner, R. A., Polk, W. T., Gupta, S., and Nabbus, E. A. Electronic authentication guideline. Tech. rep., NIST, 2011
10. Burr, W. E., Dodson, D. F., and Polk, W. T. Electronic authentication guideline. Tech. rep., NIST, 2006
11. Campbell, J., Ma, W., and Kleeman, D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology 30, 3 (2011)
12. Chiasson, S., Forget, A., Stobert, E., van Oorschot, P. C., and Biddle, R. Multiple password interference in text passwords and click-based graphical passwords. In Proc. CCS (2009)
13. Constantin, L. Sony stresses that PSN passwords were hashed. http://news. softpedia. com/news/Sony-Stresses-PSN-Passwords-Were-Hashed-198218. shtml, 2011
14. Dell'Amico, M., Michiardi, P., and Roudier, Y. Password strength: An empirical analysis. In Proc. INFOCOM (2010)
15. Fahl, S., Harbach, M., Acar, Y., and Smith, M. On the ecological validity of a password study. In Proc. SOUPS (2013)
16. Gaw, S., and Felten, E. W. Password management strategies for online accounts. In Proc. SOUPS (2006)
17. Herley, C., and Van Oorschot, P. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy 10, 1 (2012), 28-36
18. InCommon Federation. Identity assurance profiles bronze and silver v1. 1, 2011
19. Inglesant, P., and Sasse, M. A. The true cost of unusable password policies: Password use in the wild. In Proc. CHI (2010)
20. Keith, M., Shao, B., and Steinbart, P. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 63-89
21. Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE SP (2012)
22. Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI (2011)
23. Mazurek, M. L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., Kelley, P. G., Shay, R., and Ur, B. Measuring password guessability for an entire university. In Proc. CCS (2013)
24. Narayanan, A., and Shmatikov, V. Fast dictionary attacks on passwords using time-space tradeoff. In Proc. CCS (2005)
25. Proctor, R. W., Lien, M.-C., Vu, K.-P. L., Schultz, E. E., and Salvendy, G. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers 34, 2 (2002), 163-169
26. Schechter, S., Herley, C., and Mitzenmacher, M. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec (2010)
27. Shay, R., Kelley, P. G., Komanduri, S., Mazurek, M. L., Ur, B., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS (2012)
28. Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS (2010)
29. Spafford, E. H. OPUS: Preventing weak password choices. Computers & Security 11, 3 (1992)
30. Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security (2012)
31. Vance, A. If your password is 123456, just make it HackMe. The New York Times, http://www. nytimes. com/2010/01/21/technology/21password. html, January 2010
32. Vu, K.-P. L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B.-L. B., and Cook, J. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies 65, 8 (2007), 744-757
33. Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS (2010)
34. Weir, M., Aggarwal, S., Medeiros, B. d., and Glodek, B. Password cracking using probabilistic context-free grammars. In Proc. IEEE SP (2009)
35. Zviran, M., and Haga, W. J. Password security: An empirical study. J. Mgt. Info. Sys. 15, 4 (1999).