Skip to main content
SpringerLink
Log in

Password Requirements Markup Language

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9722))

Included in the following conference series:

Abstract

Passwords are the most widely used authentication scheme for granting access to user accounts on the Internet. In order to choose strong passwords, security experts recommend the usage of password generators. However, automatically generated passwords often get rejected by services, because they do not fulfill the services’ password requirements. Users need to manually look up the password requirements for each individual service and configure the password generator accordingly. This inconvenience induces users not to employ password generators and rather stick to weak passwords. We present a solution that enables generators to automatically create passwords in accordance with services’ password requirements. First, we introduce the Password Requirements Markup Language (PRML). It enables uniformly specified Password Requirements Descriptions (PRDs) for services. PRDs can be automatically processed by password generators and allow the generation of strong valid passwords without user interaction. Second, we present a crawler for the automatized extraction of password requirements from services’ websites and the creation of the corresponding PRDs. This crawler allowed us to create PRDs of 72,124 services. Third, we describe a centralized and a decentralized approach for the provision of the PRDs to password generators. Finally, we present a password generator which uses PRDs and requires nothing but a service’ URL in order to generate a strong and valid password for the service.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.passwordpolicy.info/prml.xsd.

  2. 2.

    The Alexa Top 500 US list [6] reduced by websites with pornographic and illegal content, non-english websites, and websites that do not have or allow the creation of user accounts (e.g. banking websites).

  3. 3.

    Our implementation is based on the Apache UIMA framework [8, 14].

  4. 4.

    See footnote 2.

  5. 5.

    We took the Quantcast Top Million U.S. Web Sites list [18], which lists the top ranked domains based on the number of people visiting the websites from the US.

  6. 6.

    The terms create account, register or join lead to comparable results.

  7. 7.

    We evaluated this approach based on 200 services. For 91 % of the services the sign up page can be found through the first three search results. For 1.5 % the sign up page was listed between the fourth and the thirtieth result. For the remaining 7.5 % no sign up page was found within the first thirty results. The main reason is that these services do not allow indexing their sign up pages by search engines (e.g. wikipedia.org). For performance reasons we only considered the first three results.

  8. 8.

    In comparison to the manual analysis of the Alexa Top 500 websites, where 60 % have no user accounts, 593,512 websites (59 %) is in the same range and as expected.

  9. 9.

    The list is available at http://www.passwordpolicy.info/prds.txt as well as some examples at http://www.passwordpolicy.info/prds.zip.

  10. 10.

    KeePass [20] is an open-source password manager and provides an extension framework that allows third-party developers to enhance it with additional functionality.

References

  1. Anonymizer. https://www.anonymizer.com/

  2. Password requirements. http://passrequirements.com

  3. TOR Project: Anonymity Online. https://www.torproject.org

  4. TorGuard : online privacy protection services. https://torguard.net

  5. Adams, A., Sasse, M.A., Lunt, P.: Making Passwords Secure and Usable. In: Thimbleby, H., Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)

    Google Scholar 

  6. Alexa Internet. The top 500 sites on the web. http://www.alexa.com/topsites

  7. AlFayyadh, B et al.: Improving usability of password management with standardized password policies, p. 8. Australia (2011)

    Google Scholar 

  8. Apache Software Foundation. Apache UIMA (2015). https://uima.apache.org/

  9. Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Comput. Secur. 14(3), 233–249 (1995)

    Article  Google Scholar 

  10. Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy, SP 2012, pp. 538–552. IEEE Computer Society, San Francisco, California, USA, 21–23 May 2012

    Google Scholar 

  11. Cambria, E., White, B.: Jumping NLP curves: A review of natural language processing research [review article]. IEEE Comput. Int. Mag. 9(2), 48–57 (2014)

    Article  Google Scholar 

  12. Castelluccia, C., Abdelberi, C., Dürmuth, M., Perito, D.: When privacy meets security: leveraging personal information for password cracking. CoRR, abs/1304.6584 (2013)

    Google Scholar 

  13. Dell’Amico, M., Michiardi, P., Roudier, Y., Password strength: an empirical analysis. In: INFOCOM, pp. 983–991. IEEE (2010)

    Google Scholar 

  14. Ferrucci, D.A., Lally, A.: UIMA: an architectural approach to unstructured information processing in the corporate research environment. Nat. Lang. Eng. 10(3–4), 327–348 (2004)

    Article  Google Scholar 

  15. Florêncio, D. A. F., Herley, C.: A large-scale study of web password habits. In: Williamson, C. L., Zurko, M. E., Patel-Schneider, P. F., Shenoy, P. J. (eds.) Proceedings of the 16th International Conference on World Wide Web, WWW 2007, pp. 657–666. ACM, Banff, Alberta, Canada, 8–12 May, 2007

    Google Scholar 

  16. Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again, again): measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium on Security and Privacy, SP 2012, pp. 523–537. IEEE Computer Society, San Francisco, California, USA, 21–23 May, 2012

    Google Scholar 

  17. Nottingham, M., Hammer-Lahav, E.: Defining Well-Known Uniform Resource Identifiers (URIs), RFC 5785 (2010). https://tools.ietf.org/html/rfc5785

  18. Quantcast. Quantcast Top Million U.S. Web Sites (2015). https://www.quantcast.com

  19. RANDOM.ORG Ltd. RANDOM.ORG Password Generator. https://www.random.org/passwords/

  20. Reichl, D.: KeePass Password Safe (2015). http://keepass.info

  21. Shay, R., Bertino, E.: A comprehensive simulation tool for the analysis of password policies. Int. J. Inf. Sec. 8(4), 275–289 (2009)

    Article  Google Scholar 

  22. Shay, R., Bhargav-Spantzel, A., Bertino, E.: Password policy simulation and analysis. In: Digital Identity Management, pp. 1–10. ACM (2007)

    Google Scholar 

  23. Squicciarini, A.C., Bhargav-Spantzel, A., Bertino, E., Czeksis, A.B.: Auth-SL - a system for the specification and enforcement of quality-based authentication policies. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 386–397. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Stajano, F., Spencer, M., Jenkinson, G., Stafford-Fraser, Q.: Password-Manager Friendly (PMF): semantic annotations to improve the effectiveness of password managers. In: Mjølsnes, S.F., Forler, C., List, E., Lucks, S., Wenzel, J., Dürmuth, M., Kranz, T., Chang, D., Jati, A., Mishra, S., Sanadhya, S.K., Stajano, F., Spencer, M., Jenkinson, G., Stafford-Fraser, Q., Bicakci, K., Satiev, T., Tihanyi, N., Kovács, A., Vargha, G., Lénárt, Á., Jaeger, D., Graupner, H., Sapegin, A., Cheng, F., Meinel, C., Sandvoll, M., Boyd, C., Larsen, B.B., Kumar, A., Lauradoux, C., Millican, J. (eds.) PASSWORD 2014. LNCS, vol. 9393, pp. 61–73. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24192-0_4

    Chapter  Google Scholar 

  25. Thoeing, C.: PWGen (2015). http://pwgen-win.sourceforge.net

  26. Wang, D., Wang, P.: The emperor’s new password creation policies: an evaluation of leading web services and the effect of role in resisting against online guessing. In: Pernul, G., et al. (eds.) ESORICS 2015, Part II. LNCS, vol. 9327, pp. 456–477. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24177-7_23

    Chapter  Google Scholar 

  27. Weir, M., Aggarwal, S., Collins, M. P., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Al-Shaer, E., Keromytis, A. D., Shmatikov, V. (eds.). In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 162–175. ACM, Chicago, Illinois, USA, 4–8 October, 2010

    Google Scholar 

  28. Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: IEEE Symposium on Security and Privacy, pp. 391–405. IEEE Computer Society (2009)

    Google Scholar 

  29. Zviran, M., Haga, W.J.: Password security: an empirical study. J. Manage. Inf. Syst. 15(4), 161–186 (1999)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technische Universität Darmstadt, Hochschulstraße 10, 64283, Darmstadt, Germany

    Moritz Horsch, Mario Schlipf, Johannes Braun & Johannes Buchmann

Authors
  1. Moritz Horsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mario Schlipf
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johannes Braun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Johannes Buchmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Moritz Horsch .

Editor information

Editors and Affiliations

  1. Monash University, Melbourne, Victoria, Australia

    Joseph K. Liu

  2. Monash University, Melbourne, Victoria, Australia

    Ron Steinfeld

Appendices

A Fictitious Example PRD

The PRD in Listing 1.1 defines the character sets lowercase letter, uppercase letters, numbers, special characters, and spaces. It requires that a password contains at least one special character and one number. Furthermore, the first character must be a lowercase letter. The password should not have more than 3 consecutive identical characters. The minimum password length is 10 and the maximum is 20 characters.

figure a

B Keywords

In the following appendix, we list the keywords that are used by the Keyword Annotator (cf. Sect. 4.1). The keywords are separated in three categories. First, keywords that are intended to find requirements with respect to the character sets. Second, usage verbs to interpret negation such as “do not use”. Third, keywords that focus on the minimum and maximum password length. We took the keywords from the password requirements of 20 websites and extended them by linguistically related words and terms (e.g. characters \(\rightarrow \) character \(\rightarrow \) chars \(\rightarrow \) char).

Character Sets

  • alphanumeric, alphanumeric characters

  • characters, character, chars, char

  • number, numbers, numeral, numerals, numeric character, numeric characters

  • english characters, non-blank characters, letter, letters, alphabetic, alphabetic character, alphabetic characters

  • lowercase, lowercase letter, lowercase letters, lowercase character, lowercase characters, lower case, lower case letter, lower case letters, lower case character, lower case characters

  • uppercase, uppercase letter, uppercase letters, uppercase character, uppercase characters, upper case, upper case letter, upper case letters, upper case character, upper case characters, capital letter, capital letters, capital character, capital characters

  • space, space character, space character, spaces, blanks, blank spaces, blank space

  • special character, special characters, special char, special chars, symbol, symbols

  • consecutive, repeat, repeated, sequences, same

Usage Verbs

  • contain, include, use, have, exceed

Lengths

  • minimum, min, at least, more than, longer than, or longer, or more

  • maximum, max, less than, fewer than, at most, up to, or less

  • exactly

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Horsch, M., Schlipf, M., Braun, J., Buchmann, J. (2016). Password Requirements Markup Language. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9722. Springer, Cham. https://doi.org/10.1007/978-3-319-40253-6_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40253-6_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40252-9

  • Online ISBN: 978-3-319-40253-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation