ABSTRACT
Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.
- A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, 1999. Google ScholarDigital Library
- R. J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York, NY, USA, 2001. Google ScholarDigital Library
- S. Brostoff and M. A. Sasse. Are passfaces more usable than passwords: A field trial investigation. People and Computers XIV - Usability or Else: Proceedings of HCI 2000, pages 405--424, 2000.Google Scholar
- A. S. Brown, E. Bracken, S. Zoccoli, and K. Douglas. Generating and remembering passwords. Applied Cognitive Psychology, 18(6):641--651, 2004.Google ScholarCross Ref
- BugMeNot.com. Frequently asked questions. http://bugmenot.com/faq.php. Accessed 5 March 2006.Google Scholar
- J. Bunnell, J. Podd, R. Henderson, R. Napier, and J. Kennedy-Moffat. Cognitive, associative and conventional passwords: Recall and guessing rates. Computers and Security, 16(7):641--657, 1997.Google ScholarDigital Library
- R. Dhamija and A. Perrig. Dejà vu: A user study using images for authentication. In Proc. of the 9th USENIX Security Symposium, 2000. Google ScholarDigital Library
- P. Dourish, E. Grinter, J. D. de la Flor, and M. Joseph. Security in the wild: User strategies for managing security as an everyday, practical problem. Personal Ubiquitous Computing, 8(6):391--401, 2004. Google ScholarCross Ref
- E. Gabber, P. B. Gibbons, Y. Matias,, and A. J. Mayer. How to make personalized web browsing simple, secure, and anonymous. Financial Cryptography, page 1732, 1997. Google ScholarDigital Library
- J. Goldberg, J. Hagman, and V. Sazawal. Doodling our way to better authentication. In Proc. of Ext. Abstracts CHI 2002, pages 868--869, New York, NY, USA, 2002. ACM Press. Google ScholarDigital Library
- B. Ives, K. R. Walsh, and H. Schneider. The domino effect of password reuse. Commun. ACM, 47(4):75--78, 2004. Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. The design and analysis of graphical passwords. In 13th USENIX Security Symposium, pages 1--14, 2004. Google ScholarDigital Library
- A. H. Karp. Site-specific passwords. Technical report, Hewlett-Packard Laboratories. http://www.hpl.hp.com/personal/Alan_Karp/site_password/site_password_files/site_password.pdf.Google Scholar
- D. V. Klein. "Foiling the cracker" -- A survey of, and improvements to, password security. In Proc. of the second USENIX Workshop on Security, pages 5--14, Summer 1990.Google Scholar
- R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594--597, 1979. Google ScholarDigital Library
- H. Petrie. Password clues. http://www.centralnic.com/news/research. Accessed 2 May 2005.Google Scholar
- J. Preece, Y. Rogers, and H. Sharp. Interaction Design: Beyond human-computer interaction. John Wiley And Sons Inc., 2002. Google ScholarDigital Library
- Princeton Office of Information Technology. Tips for creating strong, easy to remember passwords. Accessed 6 March 2006.Google Scholar
- S. Riley. Password security: What users know and what they actually do. http://psychology.wichita.edu/surl/usabilitynews/81/Passwords.htm, February 2006.Google Scholar
- B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. 14th Usenix Security Symposium, page 1732, 2005. Google ScholarDigital Library
- M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001. Google ScholarDigital Library
- B. Schneier. Secrets and Lies: Digital Security in a Networked World. Wiley Computer Publishing, New York, NY, 2004. Google ScholarDigital Library
- D. Weirich and M. A. Sasse. Persuasive password security. In Proc. of Ext. Abstracts CHI 2001, pages 139--140, New York, NY, USA, 2001. ACM Press. Google ScholarDigital Library
- D. Weirich and M. A. Sasse. Pretty good persuasion: a first step towards effective password security in the real world. In Proc. of NSPW 2001, pages 137--143, New York, NY, USA, 2001. ACM Press. Google ScholarDigital Library
- S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. Authentication using graphical passwords: effects of tolerance and image choice. In SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security, pages 1--12, New York, NY, USA, 2005. ACM Press. Google ScholarDigital Library
- J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25--31, 2004. Google ScholarDigital Library
- K.-P. Yee. How to manage passwords and prevent phishing. http://usablesecurity.com/2006/02/08/how-to-prevent-phishing/, February 2006. Accessed 5 March 2006.Google Scholar
Index Terms
- Password management strategies for online accounts
Recommendations
Password management using doodles
ICMI '07: Proceedings of the 9th international conference on Multimodal interfacesThe average computer user needs to remember a large number of text username and password combinations for different applications, which places a large cognitive load on the user. Consequently users tend to write down passwords, use easy to remember (and ...
Targeted Online Password Guessing: An Underestimated Threat
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWhile trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal ...
Comments