Abstract
Password meters and policies are currently the only tools helping users to create stronger passwords. However, such tools often do not provide consistent or useful feedback to users, and their suggestions may decrease memorability of resulting passwords. Passwords that are difficult to remember promote bad practices, such as writing them down or password reuse, thus stronger passwords do not necessarily improve authentication security. In this work, we propose GuidedPass – a system that suggests real-time password modifications to users, which preserve the password’s semantic structure, while increasing password strength. Our suggestions are based on structural and semantic patterns mined from successfully recalled and strong passwords in several IRB-approved user studies [30]. We compare our approach to password creation with creation under NIST [12] policy, Ur et al. [26] guidance, and zxcvbn password-meter. We show that GuidedPass outperforms competing approaches both in password strength and in recall performance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Frequently occurring surnames from the census 2000. http://www.census.gov/topics/population/genealogy/data/2000_surnames.html. Accessed 14 Oct 2015
Ansaldo, A.I., Marcotte, K., Scherer, L., Raboyeau, G.: Language therapy and bilingual aphasia: clinical implications of psycholinguistic and neuroimaging research. J. Neurolinguistics 21(6), 539–557 (2008)
Blum, M., Vempala, S.S.: Publishable humanly usable secure password creation schemas. In: Third AAAI Conference on Human Computation and Crowdsourcing (2015)
Bonneau, J., Schechter, S.E.: Towards reliable storage of 56-bit secrets in human memory. In: USENIX Security Symposium, pp. 607–623 (2014)
Burnett, M.: Today i am releasing ten million passwords (2015). https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495
de Carnavalet, X.D.C., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS, vol. 14, pp. 23–26 (2014)
Crawford, S.D., Couper, M.P., Lamias, M.J.: Web surveys: perceptions of burden. Soc. Sci. Comput. Rev. 19(2), 146–162 (2001)
Dell’Amico, M., Filippone, M.: Monte Carlo strength evaluation: fast and reliable password checking. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 158–169. ACM (2015)
Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., Herley, C.: Does my password go up to eleven?: the impact of password meters on password selection. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2379–2388. ACM (2013)
Florêncio, D., Herley, C.: Where do security policies come from? In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 10. ACM (2010)
Florêncio, D., Herley, C., Van Oorschot, P.C.: Pushing on string: the ‘don’t care’ region of password strength. Commun. ACM 59(11), 66–74 (2016)
Grassi, P.A., et al.: DRAFT NIST special publication 800-63B digital identity guidelines (2017)
NEA Guidelines: NIST special publication 800-63B version 1.0. 2 (2006)
Habib, H., et al.: Password creation in the presence of blacklists (2017)
Hanesamgar, A., Woo, K.C., Mirkovic, J.: Leveraging semantic transformation to investigate password habits and their causes. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2018)
Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 383–392. ACM (2010)
Ji, S., Yang, S., Wang, T., Liu, C., Lee, W.H., Beyah, R.: PARS: a uniform and open-source password analysis and research system. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 321–330. ACM (2015)
Kelley, P.G., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 523–537. IEEE (2012)
Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security, pp. 591–606 (2014)
Komanduri, S., et al.: Of passwords and people: measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 2595–2604. ACM (2011)
Shay, R., et al.: Can long passwords be secure and usable? In: Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems, pp. 2927–2936. ACM (2014)
Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(4), 13 (2016)
Shay, R., et al.: Encountering stronger password requirements: user attitudes and behaviors. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 2. ACM (2010)
Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the winter International Symposium on Information and Communication Technologies, pp. 1–6. Trinity College Dublin (2004)
UCREL CLAWS7 Tagset (2016). http://ucrel.lancs.ac.uk/claws7tags.html
Ur, B., et al.: Design and evaluation of a data-driven password meter. In: CHI 2017: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017
Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: USENIX Security Symposium, pp. 65–80 (2012)
Veras, R., Collins, C., Thorpe, J.: On the semantic patterns of passwords and their security impact. In: Network and Distributed System Security Symposium (NDSS 2014) (2014)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: Proceedings of the USENIX Security (2016)
Woo, S., Kaiser, E., Artstein, R., Mirkovic, J.: Life-experience passwords (LEPs). In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 113–126. ACM (2016)
Acknowledgement
We thank our shepherd Tudor Dumitras and anonymous reviewers for their helpful feedback on drafts of this paper. This research was supported by the MSIT (Ministry of Science and ICT), Korea, under the ICT Consilience Creative program (IITP-2017- R0346-16-1007) supervised by the IITP(Institute for Information & communications Technology Promotion), and by NRF of Korea by the MSIT(NRF-2017R1C1B5076474).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Woo, S.S., Mirkovic, J. (2018). GuidedPass: Helping Users to Create Strong and Memorable Passwords. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-00470-5_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00469-9
Online ISBN: 978-3-030-00470-5
eBook Packages: Computer ScienceComputer Science (R0)