Design and Evaluation of a Data-Driven Password Meter

@article{Ur2017DesignAE,
  title={Design and Evaluation of a Data-Driven Password Meter},
  author={Blase Ur and Felicia Alfieri and Maung Aung and Lujo Bauer and Nicolas Christin and Jessica Colnago and Lorrie Faith Cranor and Henry Dixon and Pardis Emami Naeini and Hana Habib and Noah Johnson and William Melicher},
  journal={Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems},
  year={2017}
}
Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's… 

Figures and Tables from this paper

MoiPrivacy: Design and Evaluation of a Personal Password Meter
TLDR
The MoiPrivacy password meter is presented, that extends a neural network- and heuristic-based approach and considers a user’s personal information, while calculating the password strength and feedback and shows that Moi privacy significantly limits the inclusion of personal information in passwords.
SIGCHI Outstanding Dissertation Award -- Supporting Password Decisions with Data
  • Blase Ur
  • Computer Science
    CHI Extended Abstracts
  • 2018
TLDR
It is found that the data-driven meter with detailed feedback leads users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.
Diversify to Survive: Making Passwords Stronger with Adaptive Policies
TLDR
A well-configured, structure-based adaptive password policy can significantly increase password strength with little to no decrease in usability, and it is discussed how system administrators can use these results to improve password diversity.
Studying the Impact of Managers on Password Strength and Reuse
TLDR
It is quantified for the first time that password managers indeed benefit the password strength and uniqueness, however, also the results suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.
Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat
TLDR
The findings suggest that once a user needs to manage a larger number of passwords, they cope by partially and exactly reusing passwords across most of their accounts.
GuidedPass: Helping Users to Create Strong and Memorable Passwords
TLDR
This work proposes GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength.
An Explainable Password Strength Meter Addon via Textual Pattern Recognition
TLDR
This paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak, which can detect twelve types of patterns and effectively help users create securer passwords.
A Password Meter without Password Exposure
TLDR
This paper first explores a new on-line password meter concept that does not necessitate the exposure of user’s passwords for evaluating user-chosen password candidates in the server side, and implements the NIST metering method as seminal work in this field.
That password doesn't sound right: interactive password strength sonification
TLDR
This paper investigates the conceptual space of creating usable auditory feedback on password strength, including functional and non-functional requirements, influences and design constraints, and presents web-based implementations of four sonification designs.
Password Creation in the Presence of Blacklists
TLDR
It is found that participants who reused even a modified version of a blacklisted attempt during the password creation task ultimately created significantly weaker passwords than those who did not attempt to use aBlacklisted password, but results indicate that text feedback provided by a password meter mitigated this effect.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 59 REFERENCES
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
TLDR
It was found that meters with a variety of visual appearances led users to create longer passwords, however, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently.
Supporting Password-Security Decisions with Data
TLDR
How integrating data-driven insights about how users create and how attackers guess passwords into a tool that presents real-time feedback can equip users to make better passwords is demonstrated.
Does my password go up to eleven?: the impact of password meters on password selection
TLDR
It is concluded that meters result in stronger passwords when users are forced to change existing passwords on "important" accounts and that individual meter design decisions likely have a marginal impact.
Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right
TLDR
SandPass is proposed, a general web framework that allows secure and modular porting of password meter and generation modules and demonstrates the usefulness of the framework by a reference implementation and a case study with a password meter by the Swedish Post and Telecommunication Agency.
Of passwords and people: measuring the effect of password-composition policies
TLDR
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
Measuring password guessability for an entire university
TLDR
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
From Very Weak to Very Strong: Analyzing Password-Strength Meters
TLDR
Light is shed on how the server-end of some meters functions, examples of highly inconsistent strength outcomes for the same password in different meters are provided, and examples of many weak passwords being labeled as strong or even very strong may confuse users in choosing a stronger password.
Do Users' Perceptions of Password Security Match Reality?
TLDR
Large variance in participants' understanding of how passwords may be attacked is found, potentially explaining why users nonetheless make predictable passwords.
Surpass: System-initiated User-replaceable Passwords
TLDR
This paper proposes a system-initiated password scheme called "Surpass" that lets users replace few characters in a random password to make it more memorable, and suggests that some Surpass policies outperform the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords.
A large-scale study of web password habits
TLDR
The study involved half a million users over athree month period and gets extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site.
...
1
2
3
4
5
...