• Publications
  • Influence
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
TLDR
We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Expand
  • 369
  • 30
  • PDF
Of passwords and people: measuring the effect of password-composition policies
TLDR
We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies and find that a number of commonly held beliefs about password composition and strength are inaccurate. Expand
  • 340
  • 26
  • PDF
Encountering stronger password requirements: user attitudes and behaviors
TLDR
A new password policy at Carnegie Mellon University requires users to create a complex password, but most users believe that they are now more secure. Expand
  • 308
  • 23
  • PDF
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
TLDR
We present a 2,931-subject study of password creation in the presence of 14 password meters. Expand
  • 264
  • 21
  • PDF
Measuring Real-World Accuracies and Biases in Modeling Password Guessability
TLDR
We investigate how cracking approaches often used by researchers compare to real-world cracking by professionals, as well as how the choice of approach biases research conclusions. Expand
  • 125
  • 21
  • PDF
Smart, useful, scary, creepy: perceptions of online behavioral advertising
TLDR
We report results of 48 semi-structured interviews about online behavioral advertising (OBA). Expand
  • 249
  • 18
  • PDF
Measuring password guessability for an entire university
TLDR
We study the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Expand
  • 182
  • 14
  • PDF
Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising
TLDR
We present results of a 45-participant laboratory study investigating the usability of nine tools to limit online behavioral advertising. Expand
  • 153
  • 11
  • PDF
Correct horse battery staple: exploring the usability of system-assigned passphrases
TLDR
We explored the usability of 3- and 4-word system-assigned passphrases in comparison to system-Assigned passwords composed of 5 to 6 random characters, and 8-character system-ASSIGN pronounceable passwords. Expand
  • 127
  • 10
  • PDF
Usability and Security of Text Passwords on Mobile Devices
TLDR
We compare the strength and usability of passwords created on mobile devices with those created and used on desktops, while varying password policy requirements and input methods. Expand
  • 72
  • 8
  • PDF