Name
Abstract | ||
|---|---|---|
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies. |
Year | DOI | Venue |
|---|---|---|
2013 | 10.1145/2508859.2516726 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
entire university,state-of-the-art password,password strength,stronger password,research university,research study,considerable research,low-value account,business school,password guessability,complex password policy,university password,passwords,password security,authentication | Internet privacy,Password cracking,Password strength,Computer science,Computer security,Password psychology,One-time password,Password policy,Password,Cognitive password,Plaintext | Conference |
Citations | PageRank | References |
80 | 2.16 | 32 |
Authors | ||
9 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Michelle L. Mazurek | 1 | 1059 | 57.67 |
| Saranga Komanduri | 2 | 1095 | 41.21 |
| Timothy Vidas | 3 | 715 | 38.49 |
| Lujo Bauer | 4 | 2460 | 120.71 |
| Nicolas Christin | 5 | 2133 | 126.02 |
| Lorrie Faith Cranor | 6 | 6767 | 515.80 |
| Patrick Gage Kelley | 7 | 1679 | 79.74 |
| Richard Shay | 8 | 1073 | 43.90 |
| Blase Ur | 9 | 973 | 48.81 |