Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/association-for-computing-machinery/designing-password-policies-for-strength-and-usability-vabYZifB8N
References (88)
-
Matteo Dell'Amico, M. Filippone (2015)
Monte Carlo Strength Evaluation: Fast and Reliable Password CheckingProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
-
E. Zezschwitz, A. Luca, H. Hussmann (2014)
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performanceProceedings of the 8th Nordic Conference on Human-Computer Interaction: Fun, Fast, Foundational
-
P. Inglesant, M. Sasse (2010)
The true cost of unusable password policies: password use in the wildProceedings of the SIGCHI Conference on Human Factors in Computing Systems
-
Rick Wash (2010)
Folk models of home computer securityProc. SOUPS
-
Anjie Zheng (2015)
VTech Has Yet to Put a Price on Hack, Chairman SaysWall Street Journal. Retrieved from http://www.wsj.com/articles/vtech-has-yet-to-put-a-price-on-hack-chairman-says-1449556689. (December 8, 2015)., 8
-
Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and Security of Text Passwords on Mobile Devices. In Proc. CHI -
Article 0, Publication date: December 2016 -
Richard Shay, Iulia Ion, R. Reeder, Sunny Consolvo (2014)
"My religious aunt asked why i was trying to sell her viagra": experiences with account hijackingProceedings of the SIGCHI Conference on Human Factors in Computing Systems
-
(2015)
Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked -
N. Beebe (2015)
A Complete Bibliography of ACM Transactions on Information and System Security -
John Pliam (2000)
On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks -
(2015)
Password Guessability Service. Retrieved from https -
(2014)
Illegal Web Trade of Personal Information Soars to Record Highs. Retrieved from https://www.experianplc.com/media/news/2014/illegal-web-trade-of-personal-information-soars-to- record-highs -
Michelle Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, L. Cranor, Patrick Kelley, Richard Shay, Blase Ur (2013)
Measuring password guessability for an entire universityProceedings of the 2013 ACM SIGSAC conference on Computer & communications security
-
Thorsten Brantz, Alex Franz (2006)
The Google Web 1T 5-Gram CorpusTechnical Report. Linguistic Data Consortium.
-
E. Stobert, R. Biddle (2015)
Expert Password Management -
W. Ford, B. Kaliski (2000)
Server-assisted generation of a strong secret from a passwordProceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000)
-
Designing Password Policies for Strength and Usability -
Sudhir Aggarmal, Charles Weir (2010)
Using probabilistic techniques to aid in password cracking attacks -
Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, L. Cranor, Saranga Komanduri, Darya Kurilova, Michelle Mazurek, William Melicher, Richard Shay (2015)
Measuring Real-World Accuracies and Biases in Modeling Password Guessability -
S. Fahl, M. Harbach, Y. Acar, Matthew Smith (2013)
On the ecological validity of a password study -
Alex Biryukov, Daniel Dinu, Dmitry Khovratovich (2015)
Version 1Retrieved from https://password-hashing.net/submissions/specs/Argon-v3.pdf.
-
(2004)
Using “grep” (a UNIX utility) for Solving Crosswords and Word Puzzle -
Saranga Komanduri, Richard Shay, Patrick Kelley, Michelle Mazurek, Lujo Bauer, Nicolas Christin, L. Cranor, Serge Egelman (2011)
Of passwords and people: measuring the effect of password-composition policiesProceedings of the SIGCHI Conference on Human Factors in Computing Systems
-
(2015)
Version 1.2 of Argon2. Retrieved from https://password-hashing.net/submissions/specs/Argon-v3.pdf -
Organization Interfaces—collaborative computing General Terms -
(2010)
If Your Password Is 123456 -
Richard Shay, Lujo Bauer, Nicolas Christin, L. Cranor, Alain Forget, Saranga Komanduri, Michelle Mazurek, William Melicher, Sean Segreti, Blase Ur (2015)
A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation BehaviorProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems
-
Blase Ur, F. Noma, Jonathan Bees, Sean Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, L. Cranor (2015)
"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab -
Cormac Herley (2009)
So long, and no thanks for the externalities: the rational rejection of security advice by users -
(2013)
Poster: The art of password creation -
Richard Shay, Saranga Komanduri, Patrick Kelley, P. Leon, Michelle Mazurek, Lujo Bauer, Nicolas Christin, L. Cranor (2010)
Encountering stronger password requirements: user attitudes and behaviors -
Jens Steube (2015)
HashcatRetrieved from https://hashcat.net/oclhashcat/.
-
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez (2012)
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithmsProc. IEEE Symp. Security & Privacy
-
Joseph Bonneau (2012)
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords2012 IEEE Symposium on Security and Privacy
-
Rafael Veras, C. Collins, Julie Thorpe (2014)
On Semantic Patterns of Passwords and their Security Impact -
(2012)
Hackers expose 453,000 credentials allegedly taken from Yahoo service -
Anupam Das, Joseph Bonneau, M. Caesar, N. Borisov, Xiaofeng Wang (2014)
The Tangled Web of Password Reuse -
(2013)
Proc. CCS -
W. Burr, Donna Dodson, E. Newton, Ray Perlner, W. Polk, Sarbari Gupta, Emad Nabbus (2014)
Electronic Authentication Guideline -
Richard Shay, Saranga Komanduri, Adam Durity, Phillip Huh, Michelle Mazurek, Sean Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, L. Cranor (2014)
Can long passwords be secure and usable?Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
-
(2013)
Keeping our users secure. http://blog.twitter.com/2013/02/keeping-our-users-secure.html -
Saranga Komanduri (2016)
Modeling the Adversary to Evaluate Password Strength With Limited Samples -
(2015)
Ashley Madison: Two women explain how hack changed their lives -
(2006)
The Google Web 1T 5-gram corpus . Technical Report -
A. Juels, R. Rivest (2013)
Honeywords: making password-cracking detectableProceedings of the 2013 ACM SIGSAC conference on Computer & communications security
-
(2006)
MySpace Passwords Aren’t So Dumb -
(2015)
Spell Checker Oriented Word Lists -
J. Camenisch, Anja Lehmann, G. Neven (2015)
Optimal Distributed Password VerificationProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
-
Joseph Bonneau, Cormac Herley, P. Oorschot, F. Stajano (2012)
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes2012 IEEE Symposium on Security and Privacy
-
Yulong Yang, J. Lindqvist, Antti Oulasvirta (2014)
Text Entry Method Affects Password SecurityArXiv, abs/1403.1910
-
M. Weir, S. Aggarwal, B. Medeiros, Bill Glodek (2009)
Password Cracking Using Probabilistic Context-Free Grammars2009 30th IEEE Symposium on Security and Privacy
-
M. Weir, S. Aggarwal, Michael Collins, Henry Stern (2010)
Testing metrics for password creation policies by attacking large sets of revealed passwords -
Colin Percival (2009)
STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS -
Joseph Bonneau, Ekaterina Shutova (2012)
Linguistic Properties of Multi-word Passphrases -
Ashlee Vance (2010)
If Your Password Is 123456, Just Make It HackMeThe New York Times, 21
-
J. Huh, Seongyeol Oh, Hyoungshick Kim, K. Beznosov, A. Mohan, S. Rajagopalan (2015)
Surpass: System-initiated User-replaceable PasswordsProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
-
Richard Shay, Patrick Kelley, Saranga Komanduri, Michelle Mazurek, Blase Ur, Timothy Vidas, Lujo Bauer, Nicolas Christin, L. Cranor (2012)
Correct horse battery staple: exploring the usability of system-assigned passphrases -
D. Florêncio, Cormac Herley, P. Oorschot (2014)
An Administrator's Guide to Internet Password Research -
(2013)
Vudu Headquarters Robbed, Hard Drives With Private Customer Data Stolen -
Niels Provos, David Mazières (1999)
A future-adaptive password scheme -
D. Florêncio, Cormac Herley (2010)
Where do security policies come from? -
E. Stobert, R. Biddle (2014)
The Password Life Cycle: User Behaviour in Managing Passwords -
Niels Provos, David Mazieres (1999)
A future-adaptable password schemeProc. USENIX ATC.
-
(2013)
Security Notice: Service-wide Password Reset -
Experian (2014)
Illegal Web Trade of Personal Information Soars to Record HighsRetrieved from https://www.experianplc.com/media/news/2014/illegal-web-trade-of-personal-information-soars-to-record-highs/.
-
F. Schaub, Ruben Deyhle, M. Weber (2012)
Password entry usability and shoulder surfing susceptibility on different smartphone platformsProceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia
-
Cormac Herley, P. Oorschot (2012)
A Research Agenda Acknowledging the Persistence of PasswordsIEEE Security & Privacy, 10
-
Ashwini Rao, B. Jha, G. Kini (2013)
Effect of grammar on security of long passwordsProceedings of the third ACM conference on Data and application security and privacy
-
Jerry Ma, Weining Yang, Min Luo, Ninghui Li (2014)
A Study of Probabilistic Password Models2014 IEEE Symposium on Security and Privacy
-
(2015)
Hashcat. https://hashcat.net/oclhashcat -
Farzaneh Asgharpour, Debin Liu, L. Camp (2007)
Mental Models of Computer Security Risks -
M. Bishop, Daniel Klein (1995)
Improving system security via proactive password checkingComput. Secur., 14
-
Patrick Kelley, Saranga Komanduri, Michelle Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, L. Cranor, Julio Hernandez (2011)
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms2012 IEEE Symposium on Security and Privacy
-
M. Keith, Benjamin Shao, P. Steinbart (2009)
A Behavioral Analysis of Passphrase Design and EffectivenessJ. Assoc. Inf. Syst., 10
-
Warwick Ford, Burton S. Kaliski Jr (2000)
Server-assisted generation of a strong secret from a passwordProc. WET ICE.
-
(2013)
LivingSocial Hack Exposes Data for 50 Million Customers -
William Melicher, Darya Kurilova, Sean Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, L. Cranor, Michelle Mazurek (2016)
Usability and Security of Text Passwords on Mobile DevicesProceedings of the 2016 CHI Conference on Human Factors in Computing Systems
-
D. Florêncio, Cormac Herley, P. Oorschot (2014)
Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts -
(2015)
VTech Has Yet to Put a Price on Hack, Chairman Says. Wall Street Journal http://www.wsj.com/articles/ vtech-has-yet-to-put-a-price-on-hack-chairman-says-1449556689 -
A. Biryukov, D. Dinu, D. Khovratovich (2015)
Argon and Argon2 -
D. Florêncio, Cormac Herley (2007)
A large-scale study of web password habits -
D. Barchiesi, Mark Plumbley (2018)
DictionariesSwift 4.2 Essentials
-
Rafael Veras, Julie Thorpe, C. Collins (2012)
Visualizing semantics in passwords: the role of dates -
Niels Provos, David Mazières, David Mazi
The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme -
Blase Ur, Patrick Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, L. Cranor (2012)
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation -
Carnegie Mellon University (2015)
Password Guessability ServiceRetrieved from https://pgs.ece.cmu.edu.
-
Bob Lord (2013)
Keeping our users secureRetrieved from http://blog.twitter.com/2013/02/keeping-our-users-secure.html.
- Publisher
- Association for Computing Machinery
- Copyright
- Copyright © 2016 Owner/Author
- ISSN
- 1094-9224
- eISSN
- 1557-7406
- DOI
- 10.1145/2891411
- Publisher site
- See Article on Publisher Site
Abstract
Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.
Journal
ACM Transactions on Information and System Security (TISSEC) – Association for Computing Machinery
Published: May 6, 2016
Keywords: Passwords