A large-scale study of web password habits

@inproceedings{Florncio2007ALS,
  title={A large-scale study of web password habits},
  author={Dinei A. F. Flor{\^e}ncio and Cormac Herley},
  booktitle={WWW '07},
  year={2007}
}
We report the results of a large scale study of password use andpassword re-use habits. [] Key Result The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.
Statistics on Password Re-use and Adaptive Strength for Financial Accounts
TLDR
A dataset is extracted from a large dump of malware records which contains multiple accounts (and passwords) per user and thus allows us to study both password re-use and the correlation between the value of an account and the strength of the passwords for those accounts.
A Case Study of Password Usage for Domestic Users
TLDR
A domestic user case of password selection and management is studied and it is found that there are password structures and special characters that users significantly prefer while the effect of server's password creation rule is insignificant.
An Empirical Study on the Web Password Strength in Greece
TLDR
The findings indicate that a significant percentage of users chooses easily-guessed passwords, and there are users that prefer passwords containing characters from the Greek alphabet, much harder to guess.
On Password Strength: A Survey and Analysis
TLDR
Various metrics of password quality are reviewed, including one proposed, and their strengths and weaknesses as well as the relationships between these metrics are compared, and a close positive correlation between the difficulty of guessing and the quality of the passwords is indicated.
The Tangled Web of Password Reuse
TLDR
This paper investigates for the first time how an attacker can leverage a known password from one site to more easily guess that user's password at other sites and develops the first cross-site password-guessing algorithm, able to guess 30% of transformed passwords within 100 attempts.
Understanding Passwords of Chinese Users : A Survey and Empirical Analysis
TLDR
This work conducts the first user survey on the password behaviors of Chinese users, revealing a number of users’ basic coping strategies for managing passwords when they are confronted with the demanding tasks of keeping track of many accounts and passwords.
A Large-Scale Study of Web Password Habits of Chinese Network Users
TLDR
Over 20 million pieces of data published on the Internet by network intruders are collected and some interesting patterns are found in order to quantify password strength through comprehensive analysis of password length, type, and other variables.
Measuring password guessability for an entire university
TLDR
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
Passwords to absolutely avoid
  • G. Violettas, K. Papadopoulos
  • Computer Science
    The Fifth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2014)
  • 2014
TLDR
There is a list of the 100 passwords that Greek users should absolutely avoid using due to the ease of guessing or weak complexity, short length or simply because they exist in every dictionary used for password attacks in the wild.
Of passwords and people: measuring the effect of password-composition policies
TLDR
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
...
...

References

SHOWING 1-10 OF 19 REFERENCES
Stronger Password Authentication Using Browser Extensions
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.
How to Make Personalized Web Browising Simple, Secure, and Anonymous
TLDR
An increasing number of web-sites require users to establish an account before they can access the information stored on that site (“personalized web browsing”) and additional information about the user may flow from the user's site to the web-site, due to the nature of the HTTP protocol and the cookie mechanism.
Password memorability and security: empirical results
TLDR
To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice.
Foiling the cracker: A survey of, and improvements to, password security
TLDR
Some of the problems of current password security are outlined by demonstrating the ease by which individual accounts may be broken, and one solution to this point of system vulnerability, a proactive password checker is proposed.
Password security: a case history
TLDR
The present design of the password security scheme was the result of countering observed attempts to penetrate the system and is a compromise between extreme security and ease of use.
The UNIX system UNIX operating system security
TLDR
Some of the security hazards of the UNIX™ operating system are discussed, and ways to protect against them are suggested, in the hope that an educated community of users will lead to a level of protection that is stronger, but far more importantly, that represents a reasonable and thoughtful balance between security and ease of use of the system.
Users are not the enemy
TLDR
It is argued that to change this state of affairs, security departments need to communicate more with users, and adopt a usercentered design approach.
Estimating the Number of Unseen Species: How Many Words did Shakespeare Know?
This paper is the first of two written by Brad Efron and Ron Thisted studying the frequency distribution of words in the Shakespearean canon. The key idea due to Fisher in the context of sampling of
Good-Turing Smoothing Without Tears
The performance of statistically based techniques for many tasks such as spelling correction, sense disambiguation, and translation is improved if one can estimate a probability for an object of
Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
The premier guide to the Windows kernel now covers Windows Server 2003, Windows XP, and Windows 2000, including 64-bit extensions. Get the architectural perspectives and insider insights needed to
...
...