The Tangled Web of Password Reuse

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Das, Anupam ^a   Bonneau, Joseph ^b   Caesar, Matthew ^a   Borisov, Nikita ^a   Wang, XiaoFeng ^c  

^a UNIVERSITY OF ILLINOIS AT URBANA CHAMPAIGN   (United States)

^b PRINCETON UNIVERSITY   (United States)

^c INDIANA UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INTERNET-SERVICES; PASSWORD GUESSING; REUSE; SIMPLE++; USER AUTHENTICATION; USER SURVEYS; WEB-SITES;

EID: 85133463240     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23357     Document Type: Conference Paper

References (49)

1. 55K Twitter Passwords Leaked. http://www.newser.com/story/145750/55k-twitter-passwords-leaked.html.
2. 6.46 million LinkedIn passwords leaked online. http://www.zdnet.com/blog/btl/6-46-million-linkedin-passwords-leaked-online/79290.
3. Alexa. http://www.alexa.com.
4. John the ripper password cracking toolkit. http://www.openwall.com/john/.
5. Leet Transformations. http://qntm.org/l33t.
6. LinkedIn confirms password leak, encourages users to update passwords. http://www.cbsnews.com/8301-501465_162-57448443501465/linkedin-confirms-password-leak-encourages-users-to-updatepasswords/.
7. MD5 Decryptor. http://www.md5decrypter.co.uk/.
8. Millions of LinkedIn passwords reportedly leaked online. http://news.cnet.com/8301-1009_3-57448079-83/millions-of-linkedinpasswords-reportedly-leaked-online/.
9. Moby Words II. http://icon.shef.ac.uk/Moby/.
10. No wonder hackers have it easy: Most of us now have 26 different online accounts - but only five passwords. http://www.dailymail.co.uk/sciencetech/article-2174274/No-wonderhackers-easy-Most-26-different-online-accounts-passwords.html.
11. Online Passwords: Keep it Complicated. http://www.guardian.co.uk/technology/2012/oct/05/online-security-passwords-tricks-hacking.
12. Over 55,000 Twitter passwords exposed, posted online. http://news.yahoo.com/blogs/technology-blog/over-55-000-twitterpasswords-exposed-posted-online-165625320.html.
13. RockYou leak. http://techcrunch.com/2009/12/14/rockyou-hacksecurity-myspace-facebook-passwords/.
14. RockYou Password Analysis. http://thepasswordproject.com/rockyoupasspal_0.4_dump.
15. Survey Questions. http://web.engr.illinois.edu/~das17/passwordreuse. html.
16. Thousands of Twitter passwords exposed. http://news.cnet.com/83011009_3-57430475-83/thousands-of-twitter-passwords-exposed/.
17. Yahoo hacked, 450,000 passwords posted online. http://www.cnn.com/2012/07/12/tech/web/yahoo-users-hacked.
18. Yahoo Voice hack leaks 450,000 passwords. http://www.guardian.co.uk/technology/2012/jul/12/yahoo-voice-hack-attack-passwords-stolen.
19. Yahoo’s password leak. http://news.cnet.com/8301-1009_3-5747117883/yahoos-password-leak-what-you-need-to-know-faq/.
20. A. Adams and M. A. Sasse, “Users Are Not The Enemy,” Commun. ACM, vol. 42, no. 12, pp. 40–46, 1999.
21. J. Bonneau, “The science of guessing: analyzing an anonymized corpus of 70 million passwords,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy, ser. SP’12, May 2012.
22. J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP’12, 2012, pp. 553–567.
23. J. Bonneau, M. Just, and G. Matthews, “What’s in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions,” in Proceedings of the 14th International conference on Financial Cryptography and Data Security, ser. FC’10, 2010, pp. 98–113.
24. J. Bonneau and S. Preibusch, “The password thicket: technical and market failures in human authentication on the web,” in Proceedings of the 9th Workshop on the Economics of Information Security, June 2010. [Online]. Available: http://www.jbonneau.com/doc/BP10-WEISpassword_thicket.pdf
25. W. E. Burr, D. F. Dodson, and W. T. Polk. (2006) Electronic Authentication Guideline. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
26. S. Chiasson, P. C. van Oorschot, and R. Biddle, “A Usability Study and Critique of Two Password Managers,” in Proceedings of the 15th conference on USENIX Security Symposium, ser. USENIX-SS’06, 2006.
27. W. W. Cohen, P. Ravikumar, and S. E. Fienberg, “A Comparison of String Distance Metrics for Name-Matching Tasks,” in Proceedings of IJCAI-03 Workshop on Information Integration, 2003, pp. 73–78.
28. F. J. Damerau, “A Technique for Computer Detection and Correction of Spelling Errors,” Commun. ACM, vol. 7, no. 3, pp. 171–176, Mar. 1964.
29. M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password Strength: An Empirical Analysis,” in Proceedings of the 29th conference on Information Communications, ser. INFOCOM’10, 2010, pp. 983–991.
30. L. R. Dice, “Measures of the Amount of Ecologic Association Between Species,” Ecology, vol. 26, no. 3, pp. 297–302, Jul. 1945.
31. S. Egelman, J. Bonneau, S. Chiasson, D. Dittrich, and S. Schechter, “It’s Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit origin,” in Proceedings of the 3rd Workshop on Ethics in Computer Security Research, ser. WECSR’12, 2012, pp. 124–132.
32. D. Florêncio and C. Herley, “A Large-Scale Study of Web Password Habits,” in Proceedings of the 16th International Conference on the World Wide Web, ser. WWW’07, 2007, pp. 657–666.
33. S. Gaw and E. W. Felten, “Password Management Strategies for Online Accounts,” in Proceedings of the 2nd Symposium on Usable Privacy and Security, ser. SOUPS’06, 2006, pp. 44–55.
34. P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, “Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy, ser. SP’12, 2012, pp. 523–537.
35. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman, “Of Passwords and People: Measuring the Effect of Password-Composition Policies,” in Proceedings of the International Conference on Human Factors in Computing Systems, ser. CHI’11, 2011, pp. 2595–2604.
36. E. F. Krause, Taxicab Geometry: An Adventure in Non-Euclidean Geometry. Dover Publications, 1987.
37. M. Levandowsky and D. Winter, “Distance between Sets,” Nature, vol. 234, no. 5, pp. 34–34, 1971.
38. V. I. Levenshtein, “Binary codes capable of correcting deletions, insertions, and reversals,” Soviet Physics Doklady, vol. 10, no. 8, pp. 707–710, 1966.
39. A. Narayanan and V. Shmatikov, “Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff,” in Proceedings of the 12th ACM conference on Computer and communications security, ser. CCS’05, 2005, pp. 364–372.
40. S. B. Needleman and C. D. Wunsch, “A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins,” Journal of Molecular Biology, vol. 48, no. 3, pp. 443–453, 1970.
41. D. Perito, C. Castelluccia, and M. Duermuth, “Adaptive Password-Strength Meters from Markov Models,” in Proceedings of the 19th Network and Distributed Systems Security Symposium, ser. NDSS’12, 2012.
42. S. Rane and W. Sun, “Privacy Preserving String Comparisons Based on Levenshtein Distance,” in Proceedings of IEEE International Workshop on Information Forensics and Security, ser. WIFS’10, 2010.
43. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell, “Stronger Password Authentication Using Browser Extensions,” in Proceedings of the 14th conference on USENIX Security Symposium, ser. USENIX-SS ’05, 2005.
44. R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor, “Encountering Stronger Password Requirements: User Attitudes and Behaviors,” in Proceedings of the 6th Symposium on Usable Privacy and Security, ser. SOUPS’10, 2010, pp. 1–20.
45. T. Smith and M. Waterman, “Identification of Common Molecular Subsequences,” Journal of Molecular Biology, vol. 147, no. 1, pp. 195–197, 1981.
46. B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor, “How does your password measure up? The effect of strength meters on password creation,” in Proceedings of the 21st USENIX conference on Security symposium, ser. USENIX-SS’12. USENIX Association, 2012, pp. 65–80.
47. M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords,” in Proceedings of the 17th ACM conference on Computer and Communications Security, ser. CCS’10, 2010, pp. 162–175.
48. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek, “Password Cracking Using Probabilistic Context-Free Grammars,” in Proceedings of the 30th IEEE Symposium on Security and Privacy, ser. SP’09, 2009, pp. 391–405.
49. Y. Zhang, F. Monrose, and M. K. Reiter, “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis,” in Proceedings of the 17th ACM conference on Computer and communications security, ser. CCS’10, 2010, pp. 176–186.