Joshua Tan
Lujo Bauer
Lorrie Faith Cranor
ABSTRACT
Multiple mechanisms exist to encourage users to create stronger passwords, including minimum-length and character-class requirements, prohibiting blocklisted passwords, and giving feedback on the strength of candidate passwords. Despite much research, there is little definitive, scientific guidance on how these mechanisms should be combined and configured to best effect. Through two online experiments, we evaluated combinations of minimum-length and character-class requirements, blocklists, and a minimum-strength requirement that requires passwords to exceed a strength threshold according to neural-network-driven password-strength estimates.
Our results lead to concrete recommendations for policy configurations that produce a good balance of security and usability. In particular, for high-value user accounts we recommend policies that combine minimum-strength and minimum-length requirements. While we offer recommendations for organizations required to use blocklists, using blocklists does not provide further gains. Interestingly, we also find that against expert attackers, character-class requirements, traditionally associated with producing stronger passwords, in practice may provide very little improvement and may even reduce effective security.
Supplemental Material
- andr0id. 2004. Word lists. http://www.outpost9.com/files/WordLists.html.Google Scholar
- bbondy. 2015. bloom-filter-js. https://github.com/bbondy/bloom-filter-js.Google Scholar
- Mark Burnett. 2015. Today I am releasing ten million passwords. https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495.Google Scholar
- Xavier De Carné De Carnavalet and Mohammad Mannan. 2014. From Very Weak to Very Strong: Analyzing Password-Strength Meters. In NDSS. 23--26.Google Scholar
- Matteo Dell'Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 158--169.Google ScholarDigital Library
- Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the Ecological Validity of a Password Study. In Proceedings of the Ninth Symposium on Usable Privacy and Security (Newcastle, United Kingdom) (SOUPS '13). ACM, New York, NY, USA, Article 13, 13 pages. https://doi.org/10.1145/2501604.2501617Google ScholarDigital Library
- Dinei Florêncio, Cormac Herley, and Paul C van Oorschot. 2014. An Administratortextquoterights Guide to Internet Password Research. In 28th Large Installation System Administration Conference (LISA14). USENIX Association, Seattle, WA, 44--61.Google ScholarDigital Library
- Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. 2017. Password creation in the presence of blacklists. In Proceedings of Usable Security (USEC) 2017. Internet Society. https://doi.org/10.14722/usec.2017.23043Google ScholarCross Ref
- Troy Hunt. 2018. Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity. https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity.Google Scholar
- Troy Hunt. 2019. Pwned Passwords API. https://haveibeenpwned.com/Passwords.Google Scholar
- P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In 2012 IEEE Symposium on Security and Privacy. 523--537. https://doi.org/10.1109/SP.2012.38Google ScholarDigital Library
- Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. 2014. Telepathwords: Preventing Weak Passwords by Reading Userstextquoteright Minds. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 591--606.Google Scholar
- Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2595--2604.Google Scholar
- Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS '13). ACM, New York, NY, USA, 173--186. https://doi.org/10.1145/2508859.2516726Google ScholarDigital Library
- William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016a. Usability and Security of Text Passwords on Mobile Devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI '16). ACM, New York, NY, USA, 527--539. https://doi.org/10.1145/2858036.2858384Google Scholar
- William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016b. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proceedings of the 25th USENIX Security Symposium.Google Scholar
- Randall Munroe. 2011. Password strength. https://xkcd.com/936/.Google Scholar
- National Institute of Standards and Technology (NIST). 2004. SP 800--63 Ver. 1.0: Electronic Authentication Guideline. https://csrc.nist.gov/publications/detail/sp/800--63/ver-10/archive/2004-06--30.Google Scholar
- National Institute of Standards and Technology (NIST). 2017. SP 800--63B: Digital Identity Guidelines: Authentication and Lifecycle Management. https://doi.org/10.6028/NIST.SP.800--63--3. Updated Dec 2017.Google Scholar
- Openwall. 2003. Openwall file archive. http://download.openwall.net/pub/wordlists/languages/English/4-extra/lower.gz.Google Scholar
- Password Research Team at Carnegie Mellon University. 2019. Password Guessability Service. https://pgs.ece.cmu.edu.Google Scholar
- Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. 2017. Let's go in for a closer look: Observing passwords in their natural habitat. In CCS.Google Scholar
- Robert W Proctor, Mei-Ching Lien, Kim-Phuong L Vu, E Eugene Schultz, and Gavriel Salvendy. 2002. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers, Vol. 34, 2 (2002), 163--169.Google ScholarCross Ref
- Sean M Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L Mazurek. 2017. Diversify to survive: Making passwords stronger with adaptive policies. In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security. USENIX.Google Scholar
- Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L Mazurek, William Melicher, Sean M Segreti, and Blase Ur. 2015. A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, New York, NY, USA, 2903--2912.Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can Long Passwords Be Secure and Usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Toronto, Ontario, Canada) (CHI '14). ACM, New York, NY, USA, 2927--2936. https://doi.org/10.1145/2556288.2557377Google ScholarDigital Library
- Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Designing Password Policies for Strength and Usability. ACM Trans. Inf. Syst. Secur., Vol. 18, 4, Article 13 (May 2016), 34 pages. https://doi.org/10.1145/2891411Google ScholarDigital Library
- Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter. In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems. ACM, 3775--3786.Google ScholarDigital Library
- Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the 21st USENIX Security Symposium. USENIX Association.Google Scholar
- Blase Ur, Sean M Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L Mazurek, William Melicher, and Richard Shay. 2015. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. In Proceedings of the 24th USENIX Security Symposium. USENIX.Google ScholarDigital Library
- Kim-Phuong L Vu, Robert W Proctor, Abhilasha Bhargav-Spantzel, Bik-Lam Belin Tai, Joshua Cook, and E Eugene Schultz. 2007. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, Vol. 65, 8 (2007), 744--757.Google ScholarDigital Library
- Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices: How frequently entered paswords are re-used across websites. In Twelfth Symposium on Usable Privacy and Security SOUPS.Google Scholar
- Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In CCS.Google Scholar
- Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 157--173.Google Scholar
Index Terms
Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements
Comments