ABSTRACT
Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-world password policies prevents password reuse. We found that this is not the case: we are the first to show that a single password could hypothetically fulfill 99% of the policies under consideration. This is especially problematic because password reuse exposes users to similar risks as weak passwords. We thus propose a new approach for policies that focuses on password reuse and respects other websites to determine if a password should be accepted. This re-design takes current user behavior into account and potentially boosts the usability and security of password-based authentication.
- Joseph Bonneau. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings - IEEE Symposium on Security and Privacy. IEEE Comput. Soc, 538--552. DOI: http://dx.doi.org/10.1109/SP.2012.49 Google ScholarDigital Library
- Joseph Bonneau. 2016. Deep Dive: EFF's New Wordlists for Random Passphrases. (July 2016). https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrasesGoogle Scholar
- Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, and Frank Stajano. 2015. Passwords and the Evolution of Imperfect Authentication. Commun. ACM 58, 7 (2015), 78--87. DOI:http://dx.doi.org/10.1145/Google ScholarDigital Library
- William E. Burr, Donna F. Dodson, Elaine M. Newton, Ray A. Perlner, and W. Timothy Polk. 2011. SP 80063--1. Electronic Authentication Guideline. Technical Report December. National Institute of Standards & Technology, Gaithersburg, MD, USA. Google Scholar
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and Xf Wang. 2014. The Tangled Web of Password Reuse. February (2014), 23--26. http://www.jbonneau.com/doc/DBCBW14-NDSS-tangledGoogle Scholar
- Dinei Florêncio and Cormac Herley. 2007. A LargeScale Study of Web Password Habits. In Proceedings of the 16th international conference on World Wide Web (WWW '07). ACM, 657--665. DOI:http://dx.doi.org/ 10.1145/1242572.1242661 Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Paul C. Van Oorschot. 2014. Password Portfolios and the FiniteEffort User: Sustainably Managing Large Numbers of Accounts. In Proceedings of USENIX Security Symposium. USENIX Association, San Diego, CA, USA, 575--590. https://www.usenix.org/system/?les/conference/usenixsecurity14/sec14-paper-?orencio.pdfGoogle Scholar
- Shirley Gaw and Edward W. Felten. 2006. Password management strategies for online accounts. In Proceedings of the second symposium on Usable privacy and security (SOUPS '06). ACM, New York, NY, USA, 44--55. DOI:http://dx.doi.org/10.1145/1143120.1143127 Google ScholarDigital Library
- Cormac Herley and Wolter Pieters. 2015. If you were attacked, you'd be sorry: Counterfactuals as security arguments. In Proceedings of the 2015 New Security Paradigms Workshop. ACM, 112--123. Google ScholarDigital Library
- Moritz Horsch, Mario Schlipf, Stefen Haas, Johannes Braun, and Johannes Buchmann. 2016. Password Policy Markup Language. In Proceedings of Open Identify Summit. Gesellschaft für Informatik, Rome, Italy, 135-- 147.Google Scholar
- Philip Inglesant and Martina Angela Sasse. 2010. The True Cost of Unusable Password Policies: Password Use in the Wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). 383--392. DOI:http://dx.doi.org/10.1145/1753326. Google ScholarDigital Library
- Michelle L Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring password guessability for an entire university. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 173--186.Google ScholarDigital Library
- William Melicher, Darya Kurilova, Sean M Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, 527--539. Google ScholarDigital Library
- Bruce Schneier. 2014. Choosing Secure Passwords. (2014). https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.htmlGoogle Scholar
- Richard Shay. 2015. Creating Usable Policies for Stronger Passwords with MTurk. Dissertation. Carnegie Mellon University.Google Scholar
- Richard Shay, Saranga Komanduri, Adam L Durity, Phillip Seyoung Huh, Michelle L Mazurek, Sean M Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can long passwords be secure and usable?. In Proceedings of the 32nd annual ACM conference on Human factors in computing systems. ACM, 2927--2936. Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L Durity, Phillip Seyoung Huh, Michelle L Mazurek, Sean M Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Designing Password Policies for Strength and Usability. ACM Transactions on Information and System Security (TISSEC) 18, 4 (2016), 13.Google ScholarDigital Library
- Elizabeth Stobert and Robert Biddle. 2014. The Password Life Cycle: User Behaviour in Managing Passwords. In Proceedings of the 10th Symposium On Usable Privacy and Security (SOUPS '14). ACM, New York, NY, USA, 243--255.Google Scholar
- Ding Wang and Ping Wang. 2015. The emperor's new password creation policies. In European Symposium on Research in Computer Security. Springer, 456-- 477. Google ScholarCross Ref
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security. ACM, 162-- 175. Google ScholarDigital Library
- Daniel Lowe Wheeler. 2016. zxcvbn: Low-budget password strength estimation. In 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association.Google Scholar
Index Terms
- Do Differences in Password Policies Prevent Password Reuse?
Comments