A large-scale study of web password habits
08 May 2007-pp 657-666
TL;DR: The study involved half a million users over athree month period and gets extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site.
Abstract: We report the results of a large scale study of password use andpassword re-use habits. The study involved half a million users over athree month period. A client component on users' machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.
Citations
More filters
20 May 2012
TL;DR: It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
Abstract: We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
914Â citations
Cites background from "A large-scale study of web password..."
...This work grew out of the Related Work section of Pico [8]....
[...]
20 May 2012
TL;DR: It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.
Abstract: We report on the largest corpus of user-chosen passwords ever studied, consisting of anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis of dozens of subpopulations based on demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment of estimating guessing difficulty by sampling from a secret distribution. In place of previously used metrics such as Shannon entropy and guessing entropy, which cannot be estimated with any realistically sized sample, we develop partial guessing metrics including a new variant of guesswork parameterized by an attacker's desired success rate. Our new metric is comparatively easy to approximate and directly relevant for security engineering. By comparing password distributions with a uniform distribution which would provide equivalent security against different forms of guessing attack, we estimate that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits of security against an optimal offline dictionary attack. We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution. Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists.
711Â citations
TL;DR: This article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages, and reviews usability requirements for knowledge-based authentication as they apply to graphical passwords.
Abstract: Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects as well as system evaluation. The article first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.
635Â citations
Cites background from "A large-scale study of web password..."
...Web-Based user studies are gaining popularity [Florencio and Herley 2007; Andrews et al. 2003; Moncur and Leplatre 2007; Everitt et al. 2009]....
[...]
...Web-Based user studies are gaining popularity [Florencio and Herley 2007; Andrews et al. 2003; Moncur and Leplatre 2007; Everitt et al. 2009]....
[...]
06 Apr 2008
TL;DR: Using a model from the warning sciences, how users perceive warning messages is analyzed and suggestions for creating more effective warning messages within the phishing context are offered.
Abstract: Many popular web browsers are now including active phishing warnings after previous research has shown that passive warnings are often ignored. In this laboratory study we examine the effectiveness of these warnings and examine if, how, and why they fail users. We simulated a spear phishing attack to expose users to browser warnings. We found that 97% of our sixty participants fell for at least one of the phishing messages that we sent them. However, we also found that when presented with the active warnings, 79% of participants heeded them, which was not the case for the passive warning that we tested---where only one participant heeded the warnings. Using a model from the warning sciences we analyzed how users perceive warning messages and offer suggestions for creating more effective warning messages within the phishing context.
613Â citations
Cites background from "A large-scale study of web password..."
...4% of the population falls for phishing attacks annually [9]....
[...]
08 Sep 2009
TL;DR: It is argued that users' rejection of the security advice they receive is entirely rational from an economic perspective, and most security advice simply offers a poor cost-benefit tradeoff to users and is rejected.
Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
543Â citations
Cites background from "A large-scale study of web password..."
...When that fraction is small, designing security advice that is bene.cial is very hard....
[...]
References
More filters
TL;DR: It is argued that to change this state of affairs, security departments need to communicate more with users, and adopt a usercentered design approach.
Abstract: Many system security departments treat users as a security risk to be controlled. The general consensus is that most users are careless and unmotivated when it comes to system security. In a recent study, we found that users may indeed compromise computer security mechanisms, such as password authentication, both knowing and unknowingly. A closer analysis, however, revealed that such behavior is often caused by the way in which security mechanisms are implemented, and users’ lack of knowledge. We argue that to change this state of affairs, security departments need to communicate more with users, and adopt a usercentered design approach.
1,458Â citations
"A large-scale study of web password..." refers background in this paper
...[3] A. Adams and M. A. Sasse....
[...]
...Adams and Sasse [3] surveyed users about password memorability, and also conclude that choosÂing secure passwords that are memorable is proving a di....
[...]
...Adams and Sasse [3] surveyed users about password memorability, and also conclude that choosing secure passwords that are memorable is proving a difficult task for many users....
[...]
...The longstanding problem of users choosing passwords that are too easily brute forced [12, 6, 3] has been joined by the new problem of users unwittingly revealing their passwords in the clear....
[...]
TL;DR: The present design of the password security scheme was the result of countering observed attempts to penetrate the system and is a compromise between extreme security and ease of use.
Abstract: This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.
1,015Â citations
"A large-scale study of web password..." refers background in this paper
...password habits on a UNIX time sharing system is [12]....
[...]
...The longstanding problem of users choosing passwords that are too easily brute forced [12, 6, 3] has been joined by the new problem of users unwittingly revealing their passwords in the clear....
[...]
01 Sep 2004
TL;DR: To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice.
Abstract: Users rarely choose passwords that are both hard to guess and easy to remember. To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenge the established wisdom.
678Â citations
"A large-scale study of web password..." refers background or result in this paper
...[9] performed a more recent study of password memorability and security....
[...]
...This accords well with the finding of [9] where very few users used a special character unless instructed to do so....
[...]
Journal Article•
TL;DR: Some of the problems of current password security are outlined by demonstrating the ease by which individual accounts may be broken, and one solution to this point of system vulnerability, a proactive password checker is proposed.
Abstract: With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system {open_quotes}crackers,{close_quotes} data theft, and data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is proposed. 11 refs., 2 tabs.
453Â citations
"A large-scale study of web password..." refers background in this paper
...Klein [5] reported being able to crack about 25% of passwords in use, again on a Unix system, by brute force attack....
[...]
Proceedings Article•
31 Jul 2005TL;DR: A browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks is described.
Abstract: We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks. Since the browser extension applies a cryptographic hash function to a combination of the plaintext password entered by the user, data associated with the web site, and (optionally) a private salt stored on the client machine, theft of the password received at one site will not yield a password that is useful at another site. While the scheme requires no changes on the server side, implementing this password method securely and transparently in a web browser extension turns out to be quite difficult. We describe the challenges we faced in implementing PwdHash and some techniques that may be useful to anyone facing similar security issues in a browser environment.
437Â citations
"A large-scale study of web password..." refers background in this paper
...Various Password Management systems offer to assist users by having a single sign-on using a master password [7, 13]....
[...]