Rafael Veras
Julie Thorpe
Christopher Collins
ABSTRACT
We begin an investigation into the semantic patterns underlying user choice in passwords. Understanding semantic patterns provides insight into how people choose passwords, which in turn can be used to inform usable password policies and password guidelines. As semantic patterns are difficult to recognize automatically, we turn to visualization to aid in their discovery. We focus on dates in passwords, designing an interactive visualization for their detailed analysis, and using it to explore the RockYou dataset of over 32 million passwords. Our visualization enabled us to analyze the dataset in many dimensions, including the relationship between dates and their co-occurring text. We use our observations from the visualization to guide further analysis, leading to our findings that nearly 5% of passwords in the RockYou dataset represent pure dates (either purely numerical or mixed alphanumeric representations) and the presence of many patterns within the dates that people choose (such as repetition, the first days of the month, recent years, and holidays).
- W. Aigner, S. Miksch, W. Muller, H. Schumann, and C. Tominski. Visualizing time-oriented data:a systematic view. Computers & Graphics, 31(3):401--409, 2007. Google Scholar
Digital Library
- W. Aigner, S. Miksch, W. Müller, H. Schumann, and C. Tominski. Visual methods for analyzing time-oriented data. IEEE Trans. on Visualization and Computer Graphics, 14(1):47--60, Jan 2008. Google ScholarDigital Library
- W. Aigner, S. Miksch, H. Schumann, and C. Tominski. Visualization of Time-Oriented Data, chapter 7, pages 15--44. Number 1997 in Human-Computer Interaction Series. Springer London, 2011.Google Scholar
- J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symp. on Security and Privacy, 2012. Google ScholarDigital Library
- J. Bonneau and S. Preibusch. A birthday present every eleven wallets? the security of customer-chosen banking pins. In FC '12: Proc. of the Int. Conf. on Financial Cryptography, 2012.Google ScholarCross Ref
- M. Bostock, V. Ogievetsky, and J. Heer. D3 data-driven documents. IEEE Trans. on Visualization and Computer Graphics, 17(12):2301--2309, 2011. Google ScholarDigital Library
- C. A. Brewer. Colorbrewer. URL http://colorbrewer2.org/. Last accessed July 09, 2012.Google Scholar
- J. V. Carlis and J. a. Konstan. Interactive visualization of serial periodic data. In Proc. of the ACM Symposium on User Interface Software and Technology - UIST '98, pages 29--38. ACM Press, 1998. Google ScholarDigital Library
- R. Chapman. Google password strength api. URL http://www.codeproject.com/Articles/19245/Google-Password-Strength-API. Last accessed June 24, 2012.Google Scholar
- G. Conti. Security Data Visualization:Graphical Techniques for Network Analysis. No Starch Press, 2007. Google ScholarDigital Library
- M. Dörk, S. Carpendale, C. Collins, and C. Williamson. VisGets: Coordinated visualizations for web-based information exploration and discovery. IEEE Trans. on Visualization and Computer Graphics (Proc. of the IEEE Conf. on Information Visualization), 14(6):1205--1213, Nov./Dec. 2008. Google ScholarDigital Library
- D. Florencio and C. Herley. A large-scale study of web password habits. In Proc. of the Int. Conf. on World Wide Web, WWW '07, pages 657--666. ACM, 2007. Google ScholarDigital Library
- C. Herley and P. Van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security Privacy, 10(1):28--36, 2012. Google ScholarCross Ref
- F.-S. T. Mintz, D. and M. Wayland. Tracking air quality trends with sas/graph. In Proc. of the 22nd Annual SAS User Group Int. Conf., pages 807--812, 1997.Google Scholar
- D. Schweitzer, J. Boleng, C. Hughes, and L. Murphy. Visualizing keyboard pattern passwords. Information Visualization, 10(2):127--133, 2011.Google ScholarCross Ref
- S. F. Silva and T. Catarci. Visualization of linear time-oriented data: A survey. In Proc. of the Int. Conf. on Web Information Systems Engineering (WISE), pages 310--, 2000. Google ScholarDigital Library
- SkullSecurity.org. Leaked passwords. http://www.skullsecurity.org/wiki/index.php/Passwords, Last accessed June 27, 2012.Google Scholar
- J. Stoll, C. S. Tashman, W. K. Edwards, and K. Spafford. Sesame: Informing user security decisions with system visualization. In Proc. of the SIGCHI Conference on Human Factors in Computing Systems, 2008. Google ScholarDigital Library
- C. Tominski. Enhanced interactive spiral display. In Proc. of the Annual SIGRAD Conf., Special Theme: Interactivity, pages 53--56, 1999.Google Scholar
- F. B. Viégas, M. Wattenberg, and J. Feinberg. Participatory visualization with Wordle. IEEE Trans. on Visualization and Computer Graphics, 15(6):1137--1144, Nov./Dec. 2009. Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. of the ACM Conf. on Computer and Communications Security, CCS '10, pages 162--175, 2010. Google ScholarDigital Library
- R. Wicklin and R. Allison. Congestion in the sky: Visualising domestic airline traffic with sas. ASA Statistical Computing and Graphics Data Expo 2009, 2009.Google Scholar
Index Terms
- Visualizing semantics in passwords: the role of dates
Recommendations
Of passwords and people: measuring the effect of password-composition policies
CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsText-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies
After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Comments