research-article

The password allocation problem: strategies for reusing passwords effectively

Authors:

Rishab Nithyanand,

Rob JohnsonAuthors Info & Claims

WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

Pages 255 - 260

https://doi.org/10.1145/2517840.2517870

Published: 04 November 2013 Publication History

Get Access

Abstract

Each Internet user has, on average, 25 password-protected accounts, but only 6.5 distinct passwords[webhabits]. Despite the advice of security experts, users are obviously re-using passwords across multiple sites. So this paper asks the question: given that users are going to re-use passwords across multiple sites, how should they best allocate those passwords to sites so as to minimize their losses from accidental password disclosures?

We provide both theoretical and practical results. First, we provide a mathematical formulation of the Password Allocation (PA) problem and show that it is NP-complete with a reduction via the 3-Partition problem. We then study several special cases and show that the optimal solution is often a contiguous allocation -- i.e., similar accounts share passwords. Next, we evaluate several human- and machine-computable heuristics that have very good performance and produce solutions that are reasonably close to optimal. We find that the human-computable heuristics do not perform nearly as well as the machine-computable heuristics, however, they provide a useful and easy to follow set of guidelines for re-using passwords.

References

[1]

Reused login credentials: Security advisory. Trusteer, Inc., February 2010.

Google Scholar

[2]

Office of inadeqaute security. www.databreaches.net/category/breach-types/exposure/, 2013.

Google Scholar

[3]

J. Bonneau. Measuring password re-use empirically. Light Blue Touchpaper, February 2011.

Google Scholar

[4]

D. Florencio and C. Herley. A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web, 2007.

Digital Library

Google Scholar

[5]

M. R. Garey and D. S. Johnson. Computers and Intractability; A Guide to the Theory of NP-Completeness. W. H. Freeman & Co., 1990.

Digital Library

Google Scholar

[6]

S. Gaw and E. W. Felten. Password management strategies for online accounts. In Proceedings of the second symposium on Usable privacy and security, SOUPS '06, pages 44--55, New York, NY, USA, 2006. ACM.

Digital Library

Google Scholar

[7]

A. Huth, M. Orlando, and L. Pesante. Password security, protection, and management. United States Computer Emergency Readiness Team, October 2012.

Google Scholar

[8]

B. Ives, K. R. Walsh, and H. Schneider. The domino effect of password reuse. Communications of the ACM, 47(4):75--78, Apr. 2004.

Digital Library

Google Scholar

[9]

D. Perito, C. Castelluccia, M. Kaafar, and P. Manils. How unique and traceable are usernames? In Proceedings of Privacy Enhancing Technologies. 2011.

Digital Library

Google Scholar

[10]

G. J. Woeginger. When does a dynamic programming formulation guarantee the existence of an fptas? In Proceedings of the tenth annual ACM-SIAM symposium on Discrete algorithms, 1999.

Digital Library

Google Scholar

Cited By

View all

Wang DWang PHe DTian YHeninger NTraynor P(2019)Birthday, name and bifacial-securityProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361445(1537-1554)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361445
Kuppusamy K(2019)PassContext and PassActions: transforming authentication into multi-dimensional contextual and interaction sequencesJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-019-01336-9Online publication date: 6-Jun-2019
https://doi.org/10.1007/s12652-019-01336-9
Yıldırım MMackie I(2019)Encouraging users to improve password security and memorabilityInternational Journal of Information Security10.1007/s10207-019-00429-yOnline publication date: 11-Apr-2019
https://doi.org/10.1007/s10207-019-00429-y
Show More Cited By

Index Terms

The password allocation problem: strategies for reusing passwords effectively

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

November 2013

306 pages

ISBN:9781450324854

DOI:10.1145/2517840

General Chair:
Ahmad-Reza Sadeghi
TU-Darmstadt & Fraunhofer SIT & Intel ICRI-SC, Germany
,
Program Chair:
Sara Foresti
Università degli Studi di Milano, Italy

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4, 2013

Berlin, Germany

Acceptance Rates

WPES '13 Paper Acceptance Rate 30 of 103 submissions, 29%;

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
250
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wang DWang PHe DTian YHeninger NTraynor P(2019)Birthday, name and bifacial-securityProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361445(1537-1554)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361445
Kuppusamy K(2019)PassContext and PassActions: transforming authentication into multi-dimensional contextual and interaction sequencesJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-019-01336-9Online publication date: 6-Jun-2019
https://doi.org/10.1007/s12652-019-01336-9
Yıldırım MMackie I(2019)Encouraging users to improve password security and memorabilityInternational Journal of Information Security10.1007/s10207-019-00429-yOnline publication date: 11-Apr-2019
https://doi.org/10.1007/s10207-019-00429-y
Ur BNoma FBees JSegreti SShay RBauer LChristin NCranor L(2015)“I added '!' at the end to make it secure”Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security10.5555/3235866.3235877(123-140)Online publication date: 22-Jul-2015
https://dl.acm.org/doi/10.5555/3235866.3235877
Florêncio DHerley CVan Oorschot PFu K(2014)Password portfolios and the finite-effort userProceedings of the 23rd USENIX conference on Security Symposium10.5555/2671225.2671262(575-590)Online publication date: 20-Aug-2014
https://dl.acm.org/doi/10.5555/2671225.2671262

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Password Book: Password Journal / Password Organizer / Password Keeper / Internet Usernames and Passwords / Internet Password Logbook A Passkey Log ... seamless pattern collection) (Volume 48)

Pocket Password Book (Password): A discreet internet password organizer

Password Organizer: Web Password Book / Password Book / Password Journal / Internet Password Book (Draw cute cat ) (Volume 8)