short-paper

Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right

Authors:

Steven Van Acker,

Daniel Hausknecht,

Andrei SabelfeldAuthors Info & Claims

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 253 - 262

https://doi.org/10.1145/2699026.2699118

Published: 02 March 2015 Publication History

Abstract

Web services heavily rely on passwords for user authentication. To help users chose stronger passwords, password meter and password generator facilities are becoming increasingly popular. Password meters estimate the strength of passwords provided by users. Password generators help users with generating stronger passwords. This paper turns the spotlight on the state of the art of password meters and generators on the web. Orthogonal to the large body of work on password metrics, we focus on getting password meters and generators right in the web setting. We report on the state of affairs via a large-scale empirical study of web password meters and generators. Our findings reveal pervasive trust to third-party code to have access to the passwords. We uncover three cases when this trust is abused to leak the passwords to third parties. Furthermore, we discover that often the passwords are sent out to the network, invisibly to users, and sometimes in clear. To improve the state of the art, we propose SandPass, a general web framework that allows secure and modular porting of password meter and generation modules. We demonstrate the usefulness of the framework by a reference implementation and a case study with a password meter by the Swedish Post and Telecommunication Agency.

References

[1]

P. Agten, S. Van Acker, Y. Brondsema, P. H. Phung, L. Desmet, and F. Piessens. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In ACSAC, 2012.

Digital Library

[2]

D. Akhawe, A. Barth, P. E. Lam, J. C. Mitchell, andD. Song. Towards a formal foundation of web security. In CSF, 2010.

Digital Library

[3]

Aldo Cortesi. mitmproxy. http://mitmproxy.org.

[4]

Ariya Hidayat. PhantomJS. http://phantomjs.org.

[5]

Badpass: password strength indicator. https://addons.mozilla.org/en-US/firefox/addon/badpass/.

[6]

J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In S&P, 2012.

Digital Library

[7]

W. E. Burr, D. F. Dodson, W. T. Polk, and D. L. Evans. Electronic authentication guideline. In NIST Special Publication, 2004.

[8]

L. S. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel, and T. Jaeger. Password exhaustion: Predicting the end of password usefulness. In ICISS, 2006.

Digital Library

[9]

Content security policy 1.0. http://www.w3.org/TR/CSP/.

[10]

CrackLib. http://cracklib.sourceforge.net/.

[11]

D. Crockford. ADsafe { making JavaScript safe for advertising. http://adsafe.org/.

[12]

CryptoJS. https://code.google.com/p/crypto-js/.

[13]

X. de Carn--e de Carnavalet and M. Mannan. From very weak to very strong: Analyzing password-strength meters. In NDSS, 2014.

[14]

P. Eckersley. How unique is your web browser? In PET, 2010.

Digital Library

[15]

S. Egelman, A. Sotirakopoulos, I. Muslukhov, K. Beznosov, and C. Herley. Does my password go up to eleven?: The impact of password meters on password selection. In SIGCHI, 2013.

Digital Library

[16]

Google password help. https://accounts.google.com/PasswordHelp.

[17]

Html - living standard: The iframe element. http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html.

[18]

L. Ingram and M. Walfish. TreeHouse: JavaScript sandboxes to help web developers help themselves. In USENIX ATC, 2012.

Digital Library

[19]

Jacaranda. Jacaranda. http://jacaranda.org.

[20]

C. Jackson and A. Barth. Forcehttps: protecting high-security web sites from network attacks. In WWW, 2008.

Digital Library

[21]

C. Jackson and H. J. Wang. Subspace: secure cross-domain communication for web mashups. In WWW, 2007.

Digital Library

[22]

T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In WWW, 2007.

Digital Library

[23]

P. Kelley, S. Komanduri, M. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. Cranor, andJ. Lopez. Guess again (and again and again): Measuring password strength by simulating,password-cracking algorithms. In S&P, 2012.

Digital Library

[24]

F. D. Keukelaere, S. Bhola, M. Steiner, S. Chari, and S. Yoshihama. Smash: secure component model for cross-domain mashups on unmodified browsers. In WWW, 2008.

Digital Library

[25]

D. V. Klein. Foiling the cracker: A survey of, and improvements to, password security. USENIX Security, 1990.

[26]

Leet. http://en.wikipedia.org/wiki/Leet.

[27]

T. Luo and W. Du. Contego: capability-based access control for web browsers. In TRUST, 2011.

Digital Library

[28]

S. Maffeis and A. Taly. Language-based isolation of untrusted Javascript. In CSF, 2009.

Digital Library

[29]

J. Magazinius, P. Phung, and D. Sands. Safe wrappers and sane policies for self protecting JavaScript. In Nordsec, 2010.

Digital Library

[30]

L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing fine-grained security policies for Javascript in the browser. In S&P, 2010.

Digital Library

[31]

Create strong passwords. https://www.microsoft.com/security/pc-security/password-checker.aspx.

[32]

Microsoft Live Labs. Live Labs Websandbox.\ http://websandbox.org.

[33]

M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized JavaScript. Technical report, Google Inc., June 2008.

[34]

R. Morris and K. Thompson. Password security - a case history. Commun. ACM, 22(11):594{597, 1979.

Digital Library

[35]

Mozilla. Use bookmarklets to quickly perform common web page tasks. https://support.mozilla.org/en-US/kb/bookmarklets-perform-common-web-page-tasks.

[36]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In CCS, 2012.

Digital Library

[37]

P. Oechslin. Making a faster cryptanalytic time-memory trade-off. In CRYPTO, 2003.

[38]

Openwall. John the ripper password cracker. http://www.openwall.com/john/.

[39]

OWASP. HTML5 Security Cheat Sheet. https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet.

[40]

OWASP. Password storage cheat sheet. https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet.

[41]

P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting JavaScript. In ASIACCS, 2009.

Digital Library

[42]

J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: type-based verification of JavaScript Sandboxing. In USENIX Security, 2011.

Digital Library

[43]

Html - living standard: Posting messages. http://www.whatwg.org/specs/web-apps/current-work/multipage/web-messaging.html.

[44]

R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy. Improving computer security for authentication of users: influence of proactive password restrictions. BRMIC, 34(2):163{9, 2002.

[45]

Swedish Post and Telecommunication Agency. http://www.pts.se/.

[46]

A million tested passwords. http://www.pts.se/en-GB/News/Press-releases/2012/A-million-tested-passwords/.

[47]

C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: vulnerability-driven filtering of dynamic HTML. In OSDI, 2006.

Digital Library

[48]

M. Research. Telepathwords: Preventing weak passwords by reading your mind. https://telepathwords.research.microsoft.com/.

[49]

Syrian Electronic Army uses Taboola ad to hack Reuters (again). https://nakedsecurity.sophos.com/2014/06/23/syrian-electronic-army-uses-taboola-ad-to-hack-reuters-again/.

[50]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. IEEE, 1975.

[51]

Sharethis. http://www.sharethis.com/.

[52]

Taboola. https://www.taboola.com/.

[53]

M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In USENIXSecurity, 2010.

Digital Library

[54]

Test your password (testa lösenord). https://testalosenord.pts.se/.

[55]

Tynt. http://www.tynt.com/.

[56]

B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How does your password measure up? the effect of strength meters on password creation. In USENIX Security, 2012.

Digital Library

[57]

S. Van Acker, P. De Ryck, L. Desmet, F. Piessens, and W. Joosen. WebJail: least-privilege integration of third-party components in web mashups. In ACSAC, 2011.

Digital Library

[58]

S. Van Acker, D. Hausknecht, and A. Sabelfeld. Password meters and generators on the web: From large-scale empirical study to getting it right { full version and code. http://www.cse.chalmers.se/~andrei/SandPass/.

[59]

Verizon. 2014 data breach investigations report. http://www.verizonenterprise.com/DBIR/2014/.

[60]

W3C. Cross-Origin Resource Sharing. http://www.w3.org/TR/cors/.

[61]

W3C. Document Object Model Core { textContent. http://www.w3.org/TR/DOM-Level-3-Core/core. html#Node3-textContent.

[62]

W3C. W3C Standards and drafts - JavaScript APIs. http://www.w3.org/TR/#tr_JavaScript_APIs.

[63]

Web Cryptography API. http://www.w3.org/TR/WebCryptoAPI/.

[64]

M. Weir, S. Aggarwal, M. P. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In CCS, 2010.

Digital Library

[65]

J. J. Yan, A. F. Blackwell, R. J. Anderson, and A. Grant. Password memorability and security: Empirical results. S&P, 2004.

Digital Library

[66]

S. Zarandioon, D. Yao, and V. Ganapathy. Omos: A framework for secure communication in mashup applications. In ACSAC, 2008.

Digital Library

[67]

zxcvbn: realistic password strength estimation. https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/.

Cited By

Wang DShan XDong QShen YJia CCalandrino JTroncoso C(2023)No single silver bulletProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620291(947-964)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620291
Zimmermann VMarky KRenaud K(2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
https://doi.org/10.1080/0144929X.2022.2042384
Ophoff JDietz F(2019)Using Gamification to Improve Information Security Behavior: A Password Strength ExperimentInformation Security Education. Education in Proactive Information Security10.1007/978-3-030-23451-5_12(157-169)Online publication date: 19-Jun-2019
https://doi.org/10.1007/978-3-030-23451-5_12
Show More Cited By

Index Terms

Password Meters and Generators on the Web: From Large-Scale Empirical Study to Getting It Right
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

March 2015

362 pages

ISBN:9781450331913

DOI:10.1145/2699026

General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 2 - 4, 2015

Texas, San Antonio, USA

Acceptance Rates

CODASPY '15 Paper Acceptance Rate 19 of 91 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
354
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)8

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang DShan XDong QShen YJia CCalandrino JTroncoso C(2023)No single silver bulletProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620291(947-964)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620291
Zimmermann VMarky KRenaud K(2022)Hybrid password meters for more secure passwords – a comprehensive study of password meters including nudges and password informationBehaviour & Information Technology10.1080/0144929X.2022.204238442:6(700-743)Online publication date: 1-Mar-2022
https://doi.org/10.1080/0144929X.2022.2042384
Ophoff JDietz F(2019)Using Gamification to Improve Information Security Behavior: A Password Strength ExperimentInformation Security Education. Education in Proactive Information Security10.1007/978-3-030-23451-5_12(157-169)Online publication date: 19-Jun-2019
https://doi.org/10.1007/978-3-030-23451-5_12
Ur BAlfieri FAung MBauer LChristin NColnago JCranor LDixon HEmami Naeini PHabib HJohnson NMelicher WMark GFussell SLampe Cschraefel mHourcade JAppert CWigdor D(2017)Design and Evaluation of a Data-Driven Password MeterProceedings of the 2017 CHI Conference on Human Factors in Computing Systems10.1145/3025453.3026050(3775-3786)Online publication date: 2-May-2017
https://dl.acm.org/doi/10.1145/3025453.3026050
Van Acker SHausknecht DSabelfeld AShin SShin DLencastre M(2017)Measuring login webpage securityProceedings of the Symposium on Applied Computing10.1145/3019612.3019798(1753-1760)Online publication date: 3-Apr-2017
https://dl.acm.org/doi/10.1145/3019612.3019798
Englehardt SNarayanan AWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)Online TrackingProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978313(1388-1401)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978313
Van Acker SHausknecht DSabelfeld AChen XWang XHuang X(2016)Data Exfiltration in the Face of CSPProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897899(853-864)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897899
Ur BBees JSegreti SBauer LChristin NCranor LKaye JDruin ALampe CMorris DHourcade J(2016)Do Users' Perceptions of Password Security Match Reality?Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems10.1145/2858036.2858546(3748-3760)Online publication date: 7-May-2016
https://dl.acm.org/doi/10.1145/2858036.2858546
Ur BNoma FBees JSegreti SShay RBauer LChristin NCranor L(2015)“I added '!' at the end to make it secure”Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security10.5555/3235866.3235877(123-140)Online publication date: 22-Jul-2015
https://dl.acm.org/doi/10.5555/3235866.3235877

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents