abstract

Do Differences in Password Policies Prevent Password Reuse?

Authors:
Tobias Seitz

LMU Munich, Munich, Germany

LMU Munich, Munich, Germany
View Profile

,
Manuel Hartmann

LMU Munich, Munich, Germany

LMU Munich, Munich, Germany
View Profile

,
Jakob Pfab

LMU Munich, Munich, Germany

LMU Munich, Munich, Germany
View Profile

,
Samuel Souque

École Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise, Évry, France

École Nationale Supérieure d'Informatique pour l'Industrie et l'Entreprise, Évry, France
View Profile

CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing SystemsMay 2017Pages 2056–2063https://doi.org/10.1145/3027063.3053100

Published:06 May 2017Publication History

CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Pages 2056–2063

ABSTRACT

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-world password policies prevents password reuse. We found that this is not the case: we are the first to show that a single password could hypothetically fulfill 99% of the policies under consideration. This is especially problematic because password reuse exposes users to similar risks as weak passwords. We thus propose a new approach for policies that focuses on password reuse and respects other websites to determine if a password should be accepted. This re-design takes current user behavior into account and potentially boosts the usability and security of password-based authentication.

References

Joseph Bonneau. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings - IEEE Symposium on Security and Privacy. IEEE Comput. Soc, 538--552. DOI: http://dx.doi.org/10.1109/SP.2012.49 Google ScholarDigital Library
Joseph Bonneau. 2016. Deep Dive: EFF's New Wordlists for Random Passphrases. (July 2016). https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrasesGoogle Scholar
Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2015. Passwords and the Evolution of Imperfect Authentication. Commun. ACM 58, 7 (2015), 78--87. DOI:http://dx.doi.org/10.1145/Google ScholarDigital Library
William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, and W. Timothy Polk. 2011. SP 80063--1. Electronic Authentication Guideline. Technical Report December. National Institute of Standards & Technology, Gaithersburg, MD, USA. Google Scholar
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and Xf Wang. 2014. The Tangled Web of Password Reuse. February (2014), 23--26. http://www.jbonneau.com/doc/DBCBW14-NDSS-tangledGoogle Scholar
Dinei Florêncio and Cormac Herley. 2007. A LargeScale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web (WWW '07). ACM, 657--665. DOI:http://dx.doi.org/ 10.1145/1242572.1242661 Google ScholarDigital Library
Dinei Florêncio, Cormac Herley, and Paul C. Van Oorschot. 2014. Password Portfolios and the FiniteEffort User: Sustainably Managing Large Numbers of Accounts. In Proceedings of USENIX Security Symposium. USENIX Association, San Diego, CA, USA, 575--590. https://www.usenix.org/system/?les/conference/usenixsecurity14/sec14-paper-?orencio.pdfGoogle Scholar
Shirley Gaw and Edward W. Felten. 2006. Password management strategies for online accounts. In Proceedings of the second symposium on Usable privacy and security (SOUPS '06). ACM, New York, NY, USA, 44--55. DOI:http://dx.doi.org/10.1145/1143120.1143127 Google ScholarDigital Library
Cormac Herley and Wolter Pieters. 2015. If you were attacked, you'd be sorry: Counterfactuals as security arguments. In Proceedings of the 2015 New Security Paradigms Workshop. ACM, 112--123. Google ScholarDigital Library
Moritz Horsch, Mario Schlipf, Stefen Haas, Johannes Braun, and Johannes Buchmann. 2016. Password Policy Markup Language. In Proceedings of Open Identify Summit. Gesellschaft für Informatik, Rome, Italy, 135-- 147.Google Scholar
Philip Inglesant and Martina Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). 383--392. DOI:http://dx.doi.org/10.1145/1753326. Google ScholarDigital Library
Michelle L Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 173--186.Google ScholarDigital Library
William Melicher, Darya Kurilova, Sean M Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 527--539. Google ScholarDigital Library
Bruce Schneier. 2014. Choosing Secure Passwords. (2014). https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.htmlGoogle Scholar
Richard Shay. 2015. Creating Usable Policies for Stronger Passwords with MTurk. Dissertation. Carnegie Mellon University.Google Scholar
Richard Shay, Saranga Komanduri, Adam L Durity, Phillip Seyoung Huh, Michelle L Mazurek, Sean M Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable?. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2927--2936. Google ScholarDigital Library
Richard Shay, Saranga Komanduri, Adam L Durity, Phillip Seyoung Huh, Michelle L Mazurek, Sean M Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Designing Password Policies for Strength and Usability. ACM Transactions on Information and System Security (TISSEC) 18, 4 (2016), 13.Google ScholarDigital Library
Elizabeth Stobert and Robert Biddle. 2014. The Password Life Cycle: User Behaviour in Managing Passwords. In Proceedings of the 10th Symposium On Usable Privacy and Security (SOUPS '14). ACM, New York, NY, USA, 243--255.Google Scholar
Ding Wang and Ping Wang. 2015. The emperor's new password creation policies. In European Symposium on Research in Computer Security. Springer, 456-- 477. Google ScholarCross Ref
Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 162-- 175. Google ScholarDigital Library
Daniel Lowe Wheeler. 2016. zxcvbn: Low-budget password strength estimation. In 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association.Google Scholar

Index Terms

Do Differences in Password Policies Prevent Password Reuse?
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems
May 2017
3954 pages
ISBN:9781450346566
DOI:10.1145/3027063
General Chairs:
Gloria Mark
University of California Irvine
,
Susan Fussell
Cornell University
,
Program Chairs:
Cliff Lampe
University of Michigan
,
m.c. schraefel
University of Southampton
,
Juan Pablo Hourcade
University of Iowa
,
Caroline Appert
Université Paris-Sud
,
Daniel Wigdor
University of Toronto
Copyright © 2017 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 May 2017
Check for updates
Author Tags
authentication
password-composition policies
passwords
usable security
Qualifiers
- abstract
Conference

Acceptance Rates
CHI EA '17 Paper Acceptance Rate1,000of5,000submissions,20%Overall Acceptance Rate6,164of23,696submissions,26%
More
Upcoming Conference
CHI '24

Sponsor:

sigchi

CHI Conference on Human Factors in Computing Systems

May 11 - 16, 2024

Honolulu , HI , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 21
  Total Citations
  View Citations
- 827
  Total Downloads
- Downloads (Last 12 months)104
- Downloads (Last 6 weeks)28
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Do Differences in Password Policies Prevent Password Reuse?

CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Password Book: Password Journal / Password Organizer / Password Keeper / Internet Usernames and Passwords / Internet Password Logbook A Passkey Log ... seamless pattern collection) (Volume 48)

Pocket Password Book (Password): A discreet internet password organizer

Password Organizer: Web Password Book / Password Book / Password Journal / Internet Password Book (Draw cute cat ) (Volume 8)