research-article

Open access

Can long passwords be secure and usable?

Authors:

Saranga Komanduri,

Adam L. Durity,

Phillip (Seyoung) Huh,

Michelle L. Mazurek,

Sean M. Segreti,

Nicolas Christin,

Lorrie Faith CranorAuthors Info & Claims

CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Pages 2927 - 2936

https://doi.org/10.1145/2556288.2557377

Published: 26 April 2014 Publication History

Abstract

To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has suggested, however, that policies requiring longer passwords with fewer additional requirements can be more usable and in some cases more secure than this traditional policy. To explore long passwords in more detail, we conducted an online experiment with 8,143 participants. Using a cracking algorithm modified for longer passwords, we evaluate eight policies across a variety of metrics for strength and usability. Among the longer policies, we discover new evidence for a security/usability tradeoff, with none being strictly better than another on both dimensions. However, several policies are both more usable and more secure that the traditional policy we tested. Our analyses additionally reveal common patterns and strings found in cracked passwords. We discuss how system administrators can use these results to improve password-composition policies.

References

[1]

Adams, A., Sasse, M. A., and Lunt, P. Making passwords secure and usable. In Proc. HCI (1997).

Digital Library

[2]

Biddle, R., Chiasson, S., and van Oorschot, P. C. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys 44, 4 (2012), 19.

Digital Library

[3]

Bishop, M., and Klein, D. V. Improving system security via proactive password checking. Computers & Security 14, 3 (1995), 233--249.

Digital Library

[4]

Bonneau, J. The Gawker hack: how a million passwords were lost, 2010. http://www.lightbluetouchpaper.org/2010/12/15/ the-gawker-hack-how-a-million-passwordswere-lost/.

[5]

Bonneau, J. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proc. IEEE SP (2012).

Digital Library

[6]

Bonneau, J., Herley, C., van Oorschot, P. C., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proc. IEEE SP (2012).

Digital Library

[7]

Brantz, T., and Franz, A. The Google Web 1T 5-gram corpus. Tech. Rep. LDC2006T13, Linguistic Data Consortium, 2006.

[8]

Bright, P. Anonymous speaks: The inside story of the HBGary hack. Ars Technica, February 2011.

[9]

Burr, W. E., Dodson, D. F., Newton, E. M., Perlner, R. A., Polk, W. T., Gupta, S., and Nabbus, E. A. Electronic authentication guideline. Tech. rep., NIST, 2011.

Digital Library

[10]

Burr, W. E., Dodson, D. F., and Polk, W. T. Electronic authentication guideline. Tech. rep., NIST, 2006.

[11]

Campbell, J., Ma, W., and Kleeman, D. Impact of restrictive composition policy on user password choices. Behaviour & Information Technology 30, 3 (2011).

Digital Library

[12]

Chiasson, S., Forget, A., Stobert, E., van Oorschot, P. C., and Biddle, R. Multiple password interference in text passwords and click-based graphical passwords. In Proc. CCS (2009).

Digital Library

[13]

Constantin, L. Sony stresses that PSN passwords were hashed. http://news.softpedia.com/news/ Sony-Stresses-PSN-Passwords-Were-Hashed-198218. shtml, 2011.

[14]

Dell'Amico, M., Michiardi, P., and Roudier, Y. Password strength: An empirical analysis. In Proc. INFOCOM (2010).

Digital Library

[15]

Fahl, S., Harbach, M., Acar, Y., and Smith, M. On the ecological validity of a password study. In Proc. SOUPS (2013).

Digital Library

[16]

Gaw, S., and Felten, E. W. Password management strategies for online accounts. In Proc. SOUPS (2006).

Digital Library

[17]

Herley, C., and Van Oorschot, P. A research agenda acknowledging the persistence of passwords. IEEE Security and Privacy 10, 1 (2012), 28--36.

Digital Library

[18]

InCommon Federation. Identity assurance profiles bronze and silver v1.1, 2011.

[19]

Inglesant, P., and Sasse, M. A. The true cost of unusable password policies: password use in the wild. In Proc. CHI (2010).

Digital Library

[20]

Keith, M., Shao, B., and Steinbart, P. A behavioral analysis of passphrase design and effectiveness. Journal of the Association for Information Systems 10, 2 (2009), 63--89.

[21]

Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. IEEE SP (2012).

Digital Library

[22]

Komanduri, S., Shay, R., Kelley, P. G., Mazurek, M. L., Bauer, L., Christin, N., Cranor, L. F., and Egelman, S. Of passwords and people: measuring the effect of password-composition policies. In Proc. CHI (2011).

Digital Library

[23]

Mazurek, M. L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., Kelley, P. G., Shay, R., and Ur, B. Measuring password guessability for an entire university. In Proc. CCS (2013).

Digital Library

[24]

Narayanan, A., and Shmatikov, V. Fast dictionary attacks on passwords using time-space tradeoff. In Proc. CCS (2005).

Digital Library

[25]

Proctor, R. W., Lien, M.-C., Vu, K.-P. L., Schultz, E. E., and Salvendy, G. Improving computer security for authentication of users: influence of proactive password restrictions. Behavior Res. Methods, Instruments, & Computers 34, 2 (2002), 163--169.

[26]

Schechter, S., Herley, C., and Mitzenmacher, M. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proc. HotSec (2010).

Digital Library

[27]

Shay, R., Kelley, P. G., Komanduri, S., Mazurek, M. L., Ur, B., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. Correct horse battery staple: Exploring the usability of system-assigned passphrases. In Proc. SOUPS (2012).

Digital Library

[28]

Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: user attitudes and behaviors. In Proc. SOUPS (2010).

Digital Library

[29]

Spafford, E. H. OPUS: Preventing weak password choices. Computers & Security 11, 3 (1992).

Digital Library

[30]

Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? The effect of strength meters on password creation. In Proc. USENIX Security (2012).

Digital Library

[31]

Vance, A. If your password is 123456, just make it HackMe. The New York Times, http://www.nytimes. com/2010/01/21/technology/21password.html, January 2010.

[32]

Vu, K.-P. L., Proctor, R. W., Bhargav-Spantzel, A., Tai, B.-L. B., and Cook, J. Improving password security and memorability to protect personal and organizational information. Int. J. of Human-Comp. Studies 65, 8 (2007), 744--757.

Digital Library

[33]

Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proc. CCS (2010).

Digital Library

[34]

Weir, M., Aggarwal, S., Medeiros, B. d., and Glodek, B. Password cracking using probabilistic context-free grammars. In Proc. IEEE SP (2009).

Digital Library

[35]

Zviran, M., and Haga, W. J. Password security: an empirical study. J. Mgt. Info. Sys. 15, 4 (1999).

Digital Library

Cited By

Xiao Y(2024)PassRVAE: Improved Trawling Attacks via Recurrent Variational AutoencoderProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673295(98-106)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673295
S ASingh K J(2024)Enhancing User Authentication with a Secure Human-Computable Password Scheme2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493581(1-6)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493581
Su XZhu XLi YLi YChen CEsteves-Veríssimo P(2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00049
Show More Cited By

Index Terms

Can long passwords be secure and usable?
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Designing Password Policies for Strength and Usability

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems

Recent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
Do Differences in Password Policies Prevent Password Reuse?
CHI EA '17: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

April 2014

4206 pages

ISBN:9781450324731

DOI:10.1145/2556288

General Chairs:
Matt Jones
Swansea University, Wales, UK
,
Philippe Palanque
Université Paul Sabatier, France
,
Program Chairs:
Albrecht Schmidt
University of Stuttgart, Germany
,
Tovi Grossman
Autodesk Research, Canada

Copyright © 2014 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 April 2014

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CHI '14

Sponsor:

SIGCHI

CHI '14: CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2014

Ontario, Toronto, Canada

Acceptance Rates

CHI '14 Paper Acceptance Rate 465 of 2,043 submissions, 23%;

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

89
Total Citations
View Citations
3,795
Total Downloads

Downloads (Last 12 months)375
Downloads (Last 6 weeks)43

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xiao Y(2024)PassRVAE: Improved Trawling Attacks via Recurrent Variational AutoencoderProceedings of the 2024 3rd International Conference on Cryptography, Network Security and Communication Technology10.1145/3673277.3673295(98-106)Online publication date: 19-Jan-2024
https://dl.acm.org/doi/10.1145/3673277.3673295
S ASingh K J(2024)Enhancing User Authentication with a Secure Human-Computable Password Scheme2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493581(1-6)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493581
Su XZhu XLi YLi YChen CEsteves-Veríssimo P(2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00049
Wells AUsman A(2023)Security and Performance of Knowledge-Based User Authentication for Smart DevicesInformation Security and Privacy in Smart Devices10.4018/978-1-6684-5991-1.ch002(41-70)Online publication date: 31-Mar-2023
https://doi.org/10.4018/978-1-6684-5991-1.ch002
Ariana MGrant HStefan SGeoffrey M. V(2023)An Empirical Analysis of Enterprise-Wide Mandatory Password UpdatesProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627198(150-162)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627198
Paudel RDumaru PShrestha AKocabas HAl-Ameen M(2023)A Deep Dive into User's Preferences and Behavior around Mobile Phone SharingProceedings of the ACM on Human-Computer Interaction10.1145/35795957:CSCW1(1-22)Online publication date: 16-Apr-2023
https://dl.acm.org/doi/10.1145/3579595
Alroomi SLi FMeng WJensen CCremers CKirda E(2023)Measuring Website Password Creation Policies At ScaleProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623156(3108-3122)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623156
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Sahin SRoomi SPoteat TLi F(2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179288
Han YXu CLi SJiang CChen K(2023)ttPAKE: Typo tolerance password-authenticated key exchangeJournal of Information Security and Applications10.1016/j.jisa.2023.10365879(103658)Online publication date: Dec-2023
https://doi.org/10.1016/j.jisa.2023.103658
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents