Skip to main content
Springer Nature Link
Log in

Statistics on Password Re-use and Adaptive Strength for Financial Accounts

  • Conference paper
Security and Cryptography for Networks (SCN 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8642))

Included in the following conference series:

Abstract

Multiple studies have demonstrated that users select weak passwords. However, the vast majority of studies on password security uses password lists that only have passwords for one site, which means that several important questions cannot be studied. For example, how much stronger are password choices for different categories of sites? We use a dataset which we extracted from a large dump of malware records. It contains multiple accounts (and passwords) per user and thus allows us to study both password re-use and the correlation between the value of an account and the strength of the passwords for those accounts.

The first contribution of our study shows that users in our sample choose (substantially) stronger passwords for financial accounts than for low-value accounts, based on the extracted passwords as well as publicly available lists. This contribution has implications for password research, as some widely-used lists contain passwords much weaker than those used in the real world (for accounts of more than low value). In our second contribution, we measure password re-use taking account values into account. We see that although high-value passwords are stronger, they are re-used more frequently than low-value passwords – valuable passwords are identical to 21% of the remaining passwords of a user. Before our study, little was known about password re-use for different account values.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bonneau, J.: Measuring password re-use empirically (February 2011), http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/

  2. Bonneau, J.: Guessing human-chosen secrets. PhD thesis, University of Cambridge (May 2012)

    Google Scholar 

  3. Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  4. Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Applied Cognitive Psychology 18(6), 641–651 (2004)

    Article  Google Scholar 

  5. Cachin, C.: Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich (1997)

    Google Scholar 

  6. Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: Proc. Network and Distributed Systems Security Symposium (NDSS). The Internet Society (2012)

    Google Scholar 

  7. Designer, S.: John the ripper, http://www.openwall.com/john

  8. Dhamija, R., Perrig, A.: Deja vu: A user study using images for authentication. In: Proc. 9th USENIX Security Symposium (2000)

    Google Scholar 

  9. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proc. 16th International Conference on World Wide Web (WWW 2007), pp. 657–666. ACM (2007)

    Google Scholar 

  10. Florencio, D., Herley, C.: Where do security policies come from? In: Symposium on Usable Privacy and Security, SOUPS (2010)

    Google Scholar 

  11. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proc. Symposium on Usable Privacy and Security, SOUPS (2006)

    Google Scholar 

  12. Taiabul Haque, S.M., Wright, M., Scielzo, S.: A study of user password strategy for multiple accounts. In: Proc. 3rd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 173–176 (2013)

    Google Scholar 

  13. HashCat, http://hashcat.net/hashcat

  14. Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: If we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Communications of the ACM 47(4), 75 (2004)

    Article  Google Scholar 

  16. Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In: 2012 IEEE Symposium on Security and Privacy (2012)

    Google Scholar 

  17. Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: Proc. Conference on Human Factors in Computing Systems, CHI 2011 (2011)

    Google Scholar 

  18. Krebs, B.: Fraud Bazaar Carders.cc Hacked (May 2010), http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/

  19. Massey, J.L.: Guessing and entropy. In: IEEE International Symposium on Information Theory, p. 204 (1994)

    Google Scholar 

  20. Mick, J.: Inside the Mega-Hack of Bitcoin: The Full Story (June 2011), http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm

  21. Morris, R., Thompson, K.: Password security: A case history. Commun. ACM 22(11), 594–597 (1979)

    Article  Google Scholar 

  22. Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS), pp. 364–372. ACM (2005)

    Google Scholar 

  23. Nurse, J.R., Creese, S., Goldsmith, M., Lamberts, K.: Trustworthy and effective communication of cybersecurity risks: A review. In: Proc. Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 60–68. IEEE (2011)

    Google Scholar 

  24. Riley, S.: Password security: What users know and what they actually do. Usability News 8(1) (2006)

    Google Scholar 

  25. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–132 (2001)

    Article  Google Scholar 

  26. Owl, S.: Microsoft market dominance (2013), http://www.statowl.com/custom_microsoft_dominance.php

  27. Trusteer, Inc. Detects rapid spread of new polymorphic version of zeus online banking trojan. Security Advisory (2010), http://www.trusteer.com/news/press-release/trusteer-detects-rapid-spread-new-polymorphic-version-zeus-online-banking-trojan

  28. Trusteer, Inc. Reused login credentials. Security Advisory (2010), http://landing2.trusteer.com/sites/default/files/cross-logins-advisory.pdf

  29. Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 162–175. ACM (2010)

    Google Scholar 

  30. Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proc. IEEE Symposium on Security and Privacy, pp. 391–405. IEEE Computer Society (2009)

    Google Scholar 

  31. Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proc. ACM Conference on Computer and Communications Security (CCS), pp. 176–186 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Bochum, Germany

    Daniel V. Bailey, Markus Dürmuth & Christof Paar

Authors
  1. Daniel V. Bailey
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Markus Dürmuth
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. École Normale Supérieure & CNRS, 45 rue d’Ulm, 75005, Paris, France

    Michel Abdalla

  2. Dipartimento di Informatica, Università di Salerno, via Ponte don Melillo, 84084, Fisciano, Italy

    Roberto De Prisco

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Bailey, D.V., Dürmuth, M., Paar, C. (2014). Statistics on Password Re-use and Adaptive Strength for Financial Accounts. In: Abdalla, M., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2014. Lecture Notes in Computer Science, vol 8642. Springer, Cham. https://doi.org/10.1007/978-3-319-10879-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-10879-7_13

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-10878-0

  • Online ISBN: 978-3-319-10879-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics