Telepathwords: Preventing weak passwords by reading users' minds

Proceedings of the 23rd USENIX Security Symposium

Volumn , Issue , 2014, Pages 591-606

  Komanduri, Saranga ^a   Shay, Richard ^a   Cranor, Lorrie Faith ^a   Herley, Cormac ^b   Schechter, Stuart ^b  

^a CARNEGIE MELLON UNIVERSITY   (United States)

^b MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

FORECASTING;

ACCURATE PREDICTION; COMPOSITION RULE; EVALUATION ALGORITHM; GUESSING ATTACKS; HUMAN SUBJECTS; REAL-TIME PREDICTION; USER SESSIONS; WEAK PASSWORDS;

AUTHENTICATION;

EID: 84959262694     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (30)

1. BISHOP, M., and VKLEIN, D. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233-249.
2. BONNEAU, J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In 2012 IEEE Symposium on Security and Privacy (May 2012).
3. BONNEAU, J., HERLEY, C., VAN OORSCHOT, P. C., AND STA-JANO, F. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In 2012 IEEE Symposium on Security and Privacy (May 2012).
4. DE CARNAVALET, X. D. C., and MANNAN, M. From very weak to very strong: Analyzing password-strength meters. In Network and Distributed System Security Symposium (NDSS14) (2013).
5. DESIGNER, S. Openwall project free wordlist. http://download.openwall.net/pub/wordlists/all.gz.
6. EGELMAN, S., SOTIRAKOPOULOS, A., MUSLUKHOV, I., BEZNOSOV, K., and HERLEY, C. Does my password go up to eleven?: the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2013), ACM, pp. 2379-2388.
7. FAHL, S., HARBACH, M., ACAR, Y., and SMITH, M. On the ecological validity of a password study. In Proceedings of the Ninth Symposium on Usable Privacy and Security (2013), ACM, p. 13.
8. FLORÊNCIO, D., and HERLEY, C. Where Do Security Policies Come From? Proc. SOUPS (2010).
9. How secure is my password. https://howsecureismypassword.net/.
10. HSU, B., and OTTAVIANO, G. Space-efficient data structures for top-k completion. In 22nd International World Wide Web Conferences (May 13-17 2013).
11. JAKOBSSON, M., and AKAVIPAT, R. Rethinking passwords to adapt to constrained keyboards.
12. KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., and CRANOR., L. F., AND LÓPEZ, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. IEEE Symposium on Security and Privacy 0 (2012), 523-537.
13. KOMANDURI, S., SHAY, R., KELLEY, P. G., and MAZUREK., M. L., BAUER, L., CHRISTIN, N., CRANOR, L. F., and EGELMAN, S. Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (New York, NY, USA, 2011), CHI '11, ACM, pp. 2595-2604.
14. MALONE, D., and MAHER, K. Investigating the distribution of password choices. In Proc. WWW (2012).
15. MAZUREK, M. L., KOMANDURI, S., VIDAS, T., BAUER, L., CHRISTIN, N., CRANOR, L. F., and KELLEY., P. G., SHAY, R., and UR, B. Measuring password guessability for an entire university. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (2013), ACM, pp. 173-186.
16. MICROSOFT CORPORATION. Check your passwordis it strong? https://www.microsoft.com/en-gb/security/pc-security/password-checker.aspx.
17. MICROSOFT CORPORATION. TechNet Configuring Password Policies. Microsoft TechNet. http://msdn.microsoft.com/en-us/library/cc236715.aspx.
18. MICROSOFT CORPORATION. Windows NT 4.0 Domain Controller Configuration Checklist. Microsoft TechNet. http://technet.microsoft.com/en-us/library/cc722923.aspx.
19. MORRIS, R., and THOMPSON, K. Password security: A case history. Communications of the ACM 22, 11 (1979), 594-597.
20. The password meter. http://www.passwordmeter.com/.
21. SCHECHTER, S., HERLEY, C., and MITZENMACHER, M. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In The 5th USENIX Workshop on Hot Topics in Security (HotSec) (Aug. 10 2010).
22. SCHECHTER, S. E., DHAMIJA, R., OZMENT, A., and FISCHER, I. The emperors new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In In Proceedings of the 2007 IEEE Symposium on Security and Privacy (May 2007).
23. SCHNEIER, B., and KELSEY, J. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security 2 (1999), 159-176.
24. SHAY, R., and KELLEY., P. G., KOMANDURI, S., MAZUREK, M. L., UR, B., VIDAS, T., BAUER, L., CHRISTIN, N., and CRANOR, L. F. Correct horse battery staple: exploring the usability of system-assigned passphrases. In Proceedings of the Eighth Symposium on Usable Privacy and Security (New York, NY, USA, 2012), SOUPS '12, ACM, pp. 7:1-7:20.
25. SHAY, R., KOMANDURI, S., DURITY, A. L., and HUH., P. S., MAZUREK, M. L., SEGRETI, S. M., UR, B., BAUER, L., CHRISTIN, N., and CRANOR, L. F. Can long passwords be secure and usable? In CHI (2014).
26. SPAFFORD, E. H. OPUS: Preventing weak password choices. Computers & Security 11, 3 (1992), 273-278.
27. STARK, E., HAMBURG, M., and BONEH, D. Symmetric Cryptography in Javascript. In Annual Computer Security Applications Conference (2009), pp. 373-381.
28. UR, B., and KELLEY., P. G., KOMANDURI, S., LEE, J., MAASS, M., and MAZUREK., M. L., PASSARO, T., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., and CRANOR, L. F. How does your password measure up? the effect of strength meters on password creation. In Proceedings of the 21st USENIX Security Symposium (Aug. 8-10 2012).
29. WEIR, M., AGGARWAL, S., COLLINS, M., and STERN, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security (New York, NY, USA, 2010), CCS '10, ACM, pp. 162-175.
30. WHEELER, D. zxcvbn: realistic password strength estimation. Dropbox Tech Blog. https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/, Apr. 2004.