How does your password measure up? The effect of strength meters on password creation

Proceedings of the 21st USENIX Security Symposium

Volumn , Issue , 2012, Pages 65-80

  Ur, Blase ^a   Kelley, Patrick Gage ^a   Komanduri, Saranga ^a   Lee, Joel ^a   Maass, Michael ^a   Mazurek, Michelle L ^a   Passaro, Timothy ^a   Shay, Richard ^a   Vidas, Timothy ^a   Bauer, Lujo ^a   Christin, Nicolas ^a   Cranor, Lorrie Faith ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

VISUAL COMMUNICATION;

PASSWORD CRACKING; PASSWORD CREATION; PASSWORD STRENGTH; SECURITY AND USABILITIES; VISUAL APPEARANCE; VISUAL FEEDBACK;

AUTHENTICATION;

EID: 84979173757     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (42)

1. ADAMS, A., SASSE, M. A., AND LUNT, P. Making passwords secure and usable. In Proc. HCI on People and Computers XII (1997).
2. BISHOP, M., AND KLEIN, D. V. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233–249.
3. BONNEAU, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symposium on Security and Privacy (2012).
4. BONNEAU, J., JUST, M., AND MATTHEWS, G. What’s in a name? Evaluating statistical attacks on personal knowledge questions. In Proc. Financial Crypto (2010).
5. BUHRMESTER, M., KWANG, T., AND GOSLING, S. D. Amazon’s Mechanical Turk: A new source of inexpensive, yet high-quality, data? Perspectives on Psychological Science 6, 1 (2011), 3–5.
6. BURR, W. E., DODSON, D. F., AND POLK, W. T. Electronic authentication guideline. Tech. rep., NIST, 2006.
7. CASTELLUCCIA, C., DÜRMUTH, M., AND PERITO, D. Adaptive password-strength meters from Markov models. In Proc. NDSS (2012).
8. CONRAD, F. G., COUPER, M. P., TOURANGEAU, R., AND PEYTCHEV, A. The impact of progress indicators on task completion. Interacting with computers 22, 5 (2010), 417–427.
9. DELL’AMICO, M., MICHIARDI, P., AND ROUDIER, Y. Password strength: An empirical analysis. In Proc. INFOCOM (2010).
10. DOWNS, J. S., HOLBROOK, M. B., SHENG, S., AND CRANOR, L. F. Are your participants gaming the system? Screening Mechanical Turk workers. In Proc. CHI (2010).
11. FEW, S. Information Dashboard Design: The Effective Visual Communication of Data. O’Reilly Media, Inc., 2006.
12. FLORÊNCIO, D., AND HERLEY, C. A large-scale study of web password habits. In Proc. WWW (2007).
13. FORGET, A., CHIASSON, S., VAN OORSCHOT, P., AND BIDDLE, R. Improving text passwords through persuasion. In Proc. SOUPS (2008).
14. HERLEY, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW (2009).
15. HERLEY, C., AND VAN OORSCHOT, P. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 99 (2011).
16. INGLESANT, P., AND SASSE, M. A. The true cost of unusable password policies: Password use in the wild. In Proc. CHI (2010).
17. IPEIROTIS, P. G. Demographics of Mechanical Turk. Tech. Rep. CeDER-10-01, New York University, March 2010.
18. KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., CRANOR, L. F.,, AND LOPEZ, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symposium on Security and Privacy (2012).
19. KESSLER, D. A., MANDE, J. R., SCARBROUGH, F. E., SCHAPIRO, R., AND FEIDEN, K. Developing the “nutrition facts” food label. Harvard Health Policy Review 4, 2 (2003), 13–24.
20. KITTUR, A., CHI, E. H., AND SUH, B. Crowdsourcing user studies with Mechanical Turk. In Proc. CHI (2008).
21. KOMANDURI, S., SHAY, R., KELLEY, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N., CRANOR, L. F., AND EGELMAN, S. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI (2011).
22. KOTADIA, M. Gates predicts death of the password, Feb. 2004. http://news.cnet.com/2100-1029-5164733.html.
23. LEYDEN, J. Office workers give away passwords for a cheap pen, Apr. 2003. http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/.
24. LOEWENSTEIN, G. F., AND HAISLEY, E. C. The economist as therapist: Methodological ramifications of ‘light’ paternalism. In The Foundations of Positive and Normative Economics. Oxford University Press, 2008.
25. MILMAN, D. A. Death to passwords, Dec. 2010. http://blogs.computerworld.com/17543/death_to_passwords.
26. PROCTOR, R. W., LIEN, M.-C., VU, K.-P. L., SCHULTZ, E. E., AND SALVENDY, G. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 34, 2 (2002), 163–169.
27. SCHNEIER, B. Myspace passwords aren’t so dumb, Dec. 2006. http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300.
28. SHAY, R., KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., UR, B., VIDAS, T., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS (2012).
29. SHAY, R., KOMANDURI, S., KELLEY, P. G., LEON, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS (2010).
30. SHEVELL, S. K., Ed. The Science of Color. Elsevier, 2003.
31. SOTIRAKOPOULOS, A., MUSLUKOV, I., BEZNOSOV, K., HERLEY, C., AND EGELMAN, S. Motivating users to choose better passwords through peer pressure. In Proc. SOUPS (Poster Abstract) (2011).
32. STANTON, J. M., STAM, K. R., MASTRANGELO, P., AND JOLTON, J. Analysis of end user security behaviors. Comp. & Security 24, 2 (2005), 124–133.
33. SUMMERS, W. C., AND BOSWORTH, E. Password policy: The good, the bad, and the ugly. In Proc. WISICT (2004).
34. THALER, R., AND SUNSTEIN, C. Nudge: Improving decisions about health, wealth, and happiness. Yale University Press, 2008.
35. TOOMIM, M., KRIPLEAN, T., PÖRTNER, C., AND LANDAY, J. Utility of human-computer interactions: Toward a science of preference measurement. In Proc. CHI (2011).
36. VANCE, A. If your password is 123456, just make it hackme. New York Times (New York edition), Jan. 21, 2010.
37. VU, K.-P. L., PROCTOR, R. W., BHARGAV-SPANTZEL, A., TAI, B.-L. B., AND COOK, J. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies 65, 8 (2007), 744–757.
38. WEIR, M., AGGARWAL, S., COLLINS, M., AND STERN, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS (2010).
39. WEIR, M., AGGARWAL, S., DE MEDEIROS, B., AND GLODEK, B. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symposium on Security and Privacy (2009).
40. WOGALTER, M., AND VIGILANTE, JR., W. Effects of label format on knowledge acquisition and perceived readability by younger and older adults. Ergonomics 46, 4 (2003), 327–344.
41. YAN, J. J. A note on proactive password checking. In Proc. NSPW (2001).
42. ZHANG, Y., MONROSE, F., AND REITER, M. K. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS (2010).