Article

How does your password measure up? the effect of strength meters on password creation

Authors:

Patrick Gage Kelley,

Saranga Komanduri,

Michelle L. Mazurek,

Timothy Passaro,

Nicolas Christin, and

Lorrie Faith CranorAuthors Info & Claims

Security'12: Proceedings of the 21st USENIX conference on Security symposium

August 2012

Page 5

Published: 08 August 2012 Publication History

Abstract

To help users create stronger text-based passwords, many web sites have deployed password meters that provide visual feedback on password strength. Although these meters are in wide use, their effects on the security and usability of passwords have not been well studied.

We present a 2,931-subject study of password creation in the presence of 14 password meters. We found that meters with a variety of visual appearances led users to create longer passwords. However, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently. These stringent meters also led participants to include more digits, symbols, and uppercase letters.

Password meters also affected the act of password creation. Participants who saw stringent meters spent longer creating their password and were more likely to change their password while entering it, yet they were also more likely to find the password meter annoying. However, the most stringent meter and those without visual bars caused participants to place less importance on satisfying the meter. Participants who saw more lenient meters tried to fill the meter and were averse to choosing passwords a meter deemed "bad" or "poor." Our findings can serve as guidelines for administrators seeking to nudge users towards stronger passwords.

References

[1]

ADAMS, A., SASSE, M. A., AND LUNT, P. Making passwords secure and usable. In Proc. HCI on People and Computers XII (1997).

[2]

BISHOP, M., AND KLEIN, D. V. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233-249.

[3]

BONNEAU, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE Symposium on Security and Privacy (2012).

[4]

BONNEAU, J., JUST, M., AND MATTHEWS, G. What's in a name? Evaluating statistical attacks on personal knowledge questions. In Proc. Financial Crypto (2010).

[5]

BUHRMESTER, M., KWANG, T., AND GOSLING, S. D. Amazon's Mechanical Turk: A new source of inexpensive, yet highquality, data? Perspectives on Psychological Science 6, 1 (2011), 3-5.

[6]

BURR, W. E., DODSON, D. F., AND POLK, W. T. Electronic authentication guideline. Tech. rep., NIST, 2006.

[7]

CASTELLUCCIA, C., DÜRMUTH, M., AND PERITO, D. Adaptive password-strength meters from Markov models. In Proc. NDSS (2012).

[8]

CONRAD, F. G., COUPER, M. P., TOURANGEAU, R., AND PEYTCHEV, A. The impact of progress indicators on task completion. Interacting with computers 22, 5 (2010), 417-427.

[9]

DELL'AMICO, M., MICHIARDI, P., AND ROUDIER, Y. Password strength: An empirical analysis. In Proc. INFOCOM (2010).

[10]

DOWNS, J. S., HOLBROOK, M. B., SHENG, S., AND CRANOR, L. F. Are your participants gaming the system? Screening Mechanical Turk workers. In Proc. CHI (2010).

[11]

FEW, S. Information Dashboard Design: The Effective Visual Communication of Data. O'Reilly Media, Inc., 2006.

[12]

FLORÊNCIO, D., AND HERLEY, C. A large-scale study of web password habits. In Proc. WWW (2007).

[13]

FORGET, A., CHIASSON, S., VAN OORSCHOT, P., AND BIDDLE, R. Improving text passwords through persuasion. In Proc. SOUPS (2008).

[14]

HERLEY, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proc. NSPW (2009).

[15]

HERLEY, C., AND VAN OORSCHOT, P. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 99 (2011).

[16]

INGLESANT, P., AND SASSE, M. A. The true cost of unusable password policies: Password use in the wild. In Proc. CHI (2010).

[17]

IPEIROTIS, P. G. Demographics of Mechanical Turk. Tech. Rep. CeDER-10-01, New York University, March 2010.

[18]

KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., SHAY, R., VIDAS, T., BAUER, L., CHRISTIN, N., CRANOR, L. F., AND LOPEZ, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE Symposium on Security and Privacy (2012).

[19]

KESSLER, D. A., MANDE, J. R., SCARBROUGH, F. E., SCHAPIRO, R., AND FEIDEN, K. Developing the "nutrition facts" food label. Harvard Health Policy Review 4, 2 (2003), 13-24.

[20]

KITTUR, A., CHI, E. H., AND SUH, B. Crowdsourcing user studies with Mechanical Turk. In Proc. CHI (2008).

[21]

KOMANDURI, S., SHAY, R., KELLEY, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N., CRANOR, L. F., AND EGELMAN, S. Of passwords and people: Measuring the effect of password-composition policies. In Proc. CHI (2011).

[22]

KOTADIA, M. Gates predicts death of the password, Feb. 2004. http://news.cnet.com/2100-1029-5164733.html.

[23]

LEYDEN, J. Office workers give away passwords for a cheap pen, Apr. 2003. http://www.theregister.co.uk/2003/04/18/ office_workers_give_away_passwords/.

[24]

LOEWENSTEIN, G. F., AND HAISLEY, E. C. The economist as therapist: Methodological ramifications of 'light' paternalism. In The Foundations of Positive and Normative Economics. Oxford University Press, 2008.

[25]

MILMAN, D. A. Death to passwords, Dec. 2010. http:// blogs.computerworld.com/17543/death_to_passwords.

[26]

PROCTOR, R. W., LIEN, M.-C., VU, K.-P. L., SCHULTZ, E. E., AND SALVENDY, G. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers 34, 2 (2002), 163-169.

[27]

SCHNEIER, B. Myspace passwords aren't so dumb, Dec. 2006. http://www.wired.com/politics/security/ commentary/securitymatters/2006/12/72300.

[28]

SHAY, R., KELLEY, P. G., KOMANDURI, S., MAZUREK, M. L., UR, B., VIDAS, T., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS (2012).

[29]

SHAY, R., KOMANDURI, S., KELLEY, P. G., LEON, P. G., MAZUREK, M. L., BAUER, L., CHRISTIN, N., AND CRANOR, L. F. Encountering stronger password requirements: User attitudes and behaviors. In Proc. SOUPS (2010).

[30]

SHEVELL, S. K., Ed. The Science of Color. Elsevier, 2003.

[31]

SOTIRAKOPOULOS, A., MUSLUKOV, I., BEZNOSOV, K., HERLEY, C., AND EGELMAN, S. Motivating users to choose better passwords through peer pressure. In Proc. SOUPS (Poster Abstract) (2011).

[32]

STANTON, J. M., STAM, K. R., MASTRANGELO, P., AND JOLTON, J. Analysis of end user security behaviors. Comp. & Security 24, 2 (2005), 124-133.

[33]

SUMMERS, W. C., AND BOSWORTH, E. Password policy: The good, the bad, and the ugly. In Proc. WISICT (2004).

[34]

THALER, R., AND SUNSTEIN, C. Nudge: Improving decisions about health, wealth, and happiness. Yale University Press, 2008.

[35]

TOOMIM, M., KRIPLEAN, T., PÖRTNER, C., AND LANDAY, J. Utility of human-computer interactions: Toward a science of preference measurement. In Proc. CHI (2011).

[36]

VANCE, A. If your password is 123456, just make it hackme. New York Times (New York edition), Jan. 21, 2010.

[37]

VU, K.-P. L., PROCTOR, R. W., BHARGAV-SPANTZEL, A., TAI, B.-L. B., AND COOK, J. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies 65, 8 (2007), 744-757.

[38]

WEIR, M., AGGARWAL, S., COLLINS, M., AND STERN, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS (2010).

[39]

WEIR, M., AGGARWAL, S., DE MEDEIROS, B., AND GLODEK, B. Password cracking using probabilistic context-free grammars. In Proc. IEEE Symposium on Security and Privacy (2009).

[40]

WOGALTER, M., AND VIGILANTE, JR., W. Effects of label format on knowledge acquisition and perceived readability by younger and older adults. Ergonomics 46, 4 (2003), 327-344.

[41]

YAN, J. J. A note on proactive password checking. In Proc. NSPW (2001).

[42]

ZHANG, Y., MONROSE, F., AND REITER, M. K. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. CCS (2010).

Cited By

Paudel RAl-Ameen M(2024)Priming through Persuasion: Towards Secure Password BehaviorProceedings of the ACM on Human-Computer Interaction10.1145/36373878:CSCW1(1-27)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637387
Wang DZou YZhang ZXiu KCalandrino JTroncoso C(2023)Password guessing using random forestProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620292(965-982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620292
Behfar AAtashpanjeh HAl-Ameen M(2023)Can Password Meter be More Effective Towards User Attention, Engagement, and Attachment?: A Study of Metaphor-based DesignsCompanion Publication of the 2023 Conference on Computer Supported Cooperative Work and Social Computing10.1145/3584931.3606983(164-171)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3584931.3606983
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Security'12: Proceedings of the 21st USENIX conference on Security symposium

August 2012

43 pages

Program Chair:
Tadayoshi Kohno
University of Washington

Sponsors

NSF: National Science Foundation
Google Inc.
IBMR: IBM Research
Microsoft Research: Microsoft Research
Symantec: Symantec

Publisher

USENIX Association

United States

Publication History

Published: 08 August 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

72
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

Paudel RAl-Ameen M(2024)Priming through Persuasion: Towards Secure Password BehaviorProceedings of the ACM on Human-Computer Interaction10.1145/36373878:CSCW1(1-27)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637387
Wang DZou YZhang ZXiu KCalandrino JTroncoso C(2023)Password guessing using random forestProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620292(965-982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620292
Behfar AAtashpanjeh HAl-Ameen M(2023)Can Password Meter be More Effective Towards User Attention, Engagement, and Attachment?: A Study of Metaphor-based DesignsCompanion Publication of the 2023 Conference on Computer Supported Cooperative Work and Social Computing10.1145/3584931.3606983(164-171)Online publication date: 14-Oct-2023
https://dl.acm.org/doi/10.1145/3584931.3606983
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Cheon EHuh JOakley I(2023)GestureMeter: Design and Evaluation of a Gesture Password Strength MeterProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581397(1-19)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581397
Abdrabou YShams AMantawy MAhmad Khan AKhamis MAlt FAbdelrahman Y(2021)GazeMeter: Exploring the Usage of Gaze Behaviour to Enhance Password AssessmentsACM Symposium on Eye Tracking Research and Applications10.1145/3448017.3457384(1-12)Online publication date: 25-May-2021
https://dl.acm.org/doi/10.1145/3448017.3457384
Zimmermann VRenaud K(2021)The Nudge PuzzleACM Transactions on Computer-Human Interaction10.1145/342988828:1(1-45)Online publication date: 20-Jan-2021
https://dl.acm.org/doi/10.1145/3429888
McDonald ASugatan CGuberek TSchaub FKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)The Annoying, the Disturbing, and the Weird: Challenges with Phone Numbers as Identifiers and Phone Number RecyclingProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445085(1-14)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445085
Abdrabou YAbdelrahman YKhamis MAlt F(2021)Think Harder! Investigating the Effect of Password Strength on Cognitive Load during Password CreationExtended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411763.3451636(1-7)Online publication date: 8-May-2021
https://dl.acm.org/doi/10.1145/3411763.3451636
Ortloff AZimmerman SElsweiler DHenze NScholer FThomas PElsweiler DJoho HKando NSmith C(2021)The Effect of Nudges and Boosts on Browsing Privacy in a Naturalistic EnvironmentProceedings of the 2021 Conference on Human Information Interaction and Retrieval10.1145/3406522.3446014(63-73)Online publication date: 14-Mar-2021
https://dl.acm.org/doi/10.1145/3406522.3446014
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents