• Publications
  • Influence
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
TLDR
We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Expand
  • 369
  • 30
  • PDF
Of passwords and people: measuring the effect of password-composition policies
TLDR
We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies and find that a number of commonly held beliefs about password composition and strength are inaccurate. Expand
  • 340
  • 26
  • PDF
Encountering stronger password requirements: user attitudes and behaviors
TLDR
A new password policy at Carnegie Mellon University requires users to create a complex password, but most users believe that they are now more secure. Expand
  • 308
  • 23
  • PDF
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
TLDR
We present a 2,931-subject study of password creation in the presence of 14 password meters. Expand
  • 264
  • 21
  • PDF
Measuring Real-World Accuracies and Biases in Modeling Password Guessability
TLDR
We investigate how cracking approaches often used by researchers compare to real-world cracking by professionals, as well as how the choice of approach biases research conclusions. Expand
  • 125
  • 21
  • PDF
You Get Where You're Looking for: The Impact of Information Sources on Code Security
TLDR
Vulnerabilities in Android code -- including but not limited to insecure data storage, unprotected inter-component communication, broken TLS implementations, and violations of least privilege -- have enabled real-world privacy leaks and motivated research cataloguing their prevalence and impact. Expand
  • 147
  • 18
  • PDF
Measuring password guessability for an entire university
TLDR
We study the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Expand
  • 182
  • 14
  • PDF
Comparing the Usability of Cryptographic APIs
TLDR
We examine how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries. Expand
  • 115
  • 13
  • PDF
Security Developer Studies with GitHub Users: Exploring a Convenience Sample
TLDR
The usable security community is increasingly considering how to improve security decision-making not only for end users, but also for information technology professionals. Expand
  • 49
  • 11
  • PDF
Correct horse battery staple: exploring the usability of system-assigned passphrases
TLDR
We explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-Assigned passwords composed of 5 to 6 random characters, and 8-character system-ASSIGN pronounceable passwords. Expand
  • 127
  • 10
  • PDF