research-article

Open access

Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements

Authors:

Nicolas Christin,

Lorrie Faith CranorAuthors Info & Claims

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Pages 1407 - 1426

https://doi.org/10.1145/3372297.3417882

Published: 02 November 2020 Publication History

Abstract

Multiple mechanisms exist to encourage users to create stronger passwords, including minimum-length and character-class requirements, prohibiting blocklisted passwords, and giving feedback on the strength of candidate passwords. Despite much research, there is little definitive, scientific guidance on how these mechanisms should be combined and configured to best effect. Through two online experiments, we evaluated combinations of minimum-length and character-class requirements, blocklists, and a minimum-strength requirement that requires passwords to exceed a strength threshold according to neural-network-driven password-strength estimates.

Our results lead to concrete recommendations for policy configurations that produce a good balance of security and usability. In particular, for high-value user accounts we recommend policies that combine minimum-strength and minimum-length requirements. While we offer recommendations for organizations required to use blocklists, using blocklists does not provide further gains. Interestingly, we also find that against expert attackers, character-class requirements, traditionally associated with producing stronger passwords, in practice may provide very little improvement and may even reduce effective security.

Supplementary Material

MOV File (Copy of CCS2020_fpc341_JoshuaTan - Brian Hollendyke.mov)

Presentation video

Download
317.16 MB

References

[1]

andr0id. 2004. Word lists. http://www.outpost9.com/files/WordLists.html.

[2]

bbondy. 2015. bloom-filter-js. https://github.com/bbondy/bloom-filter-js.

[3]

Mark Burnett. 2015. Today I am releasing ten million passwords. https://xato.net/today-i-am-releasing-ten-million-passwords-b6278bbe7495.

[4]

Xavier De Carné De Carnavalet and Mohammad Mannan. 2014. From Very Weak to Very Strong: Analyzing Password-Strength Meters. In NDSS. 23--26.

[5]

Matteo Dell'Amico and Maurizio Filippone. 2015. Monte Carlo strength evaluation: Fast and reliable password checking. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 158--169.

Digital Library

[6]

Sascha Fahl, Marian Harbach, Yasemin Acar, and Matthew Smith. 2013. On the Ecological Validity of a Password Study. In Proceedings of the Ninth Symposium on Usable Privacy and Security (Newcastle, United Kingdom) (SOUPS '13). ACM, New York, NY, USA, Article 13, 13 pages. https://doi.org/10.1145/2501604.2501617

Digital Library

[7]

Dinei Florêncio, Cormac Herley, and Paul C van Oorschot. 2014. An Administratortextquoterights Guide to Internet Password Research. In 28th Large Installation System Administration Conference (LISA14). USENIX Association, Seattle, WA, 44--61.

Digital Library

[8]

Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor. 2017. Password creation in the presence of blacklists. In Proceedings of Usable Security (USEC) 2017. Internet Society. https://doi.org/10.14722/usec.2017.23043

[9]

Troy Hunt. 2018. Enhancing Pwned Passwords Privacy by Exclusively Supporting Anonymity. https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity.

[10]

Troy Hunt. 2019. Pwned Passwords API. https://haveibeenpwned.com/Passwords.

[11]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In 2012 IEEE Symposium on Security and Privacy. 523--537. https://doi.org/10.1109/SP.2012.38

Digital Library

[12]

Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. 2014. Telepathwords: Preventing Weak Passwords by Reading Userstextquoteright Minds. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 591--606.

[13]

Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. 2011. Of Passwords and People: Measuring the Effect of Password-Composition Policies. In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2595--2604.

[14]

Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur. 2013. Measuring Password Guessability for an Entire University. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS '13). ACM, New York, NY, USA, 173--186. https://doi.org/10.1145/2508859.2516726

Digital Library

[15]

William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016a. Usability and Security of Text Passwords on Mobile Devices. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI '16). ACM, New York, NY, USA, 527--539. https://doi.org/10.1145/2858036.2858384

[16]

William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016b. Fast, lean, and accurate: Modeling password guessability using neural networks. In Proceedings of the 25th USENIX Security Symposium.

[17]

Randall Munroe. 2011. Password strength. https://xkcd.com/936/.

[18]

National Institute of Standards and Technology (NIST). 2004. SP 800--63 Ver. 1.0: Electronic Authentication Guideline. https://csrc.nist.gov/publications/detail/sp/800--63/ver-10/archive/2004-06--30.

[19]

National Institute of Standards and Technology (NIST). 2017. SP 800--63B: Digital Identity Guidelines: Authentication and Lifecycle Management. https://doi.org/10.6028/NIST.SP.800--63--3. Updated Dec 2017.

[20]

Openwall. 2003. Openwall file archive. http://download.openwall.net/pub/wordlists/languages/English/4-extra/lower.gz.

[21]

Password Research Team at Carnegie Mellon University. 2019. Password Guessability Service. https://pgs.ece.cmu.edu.

[22]

Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. 2017. Let's go in for a closer look: Observing passwords in their natural habitat. In CCS.

[23]

Robert W Proctor, Mei-Ching Lien, Kim-Phuong L Vu, E Eugene Schultz, and Gavriel Salvendy. 2002. Improving computer security for authentication of users: Influence of proactive password restrictions. Behavior Research Methods, Instruments, & Computers, Vol. 34, 2 (2002), 163--169.

[24]

Sean M Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L Mazurek. 2017. Diversify to survive: Making passwords stronger with adaptive policies. In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security. USENIX.

[25]

Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L Mazurek, William Melicher, Sean M Segreti, and Blase Ur. 2015. A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems. ACM, New York, NY, USA, 2903--2912.

Digital Library

[26]

Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2014. Can Long Passwords Be Secure and Usable?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Toronto, Ontario, Canada) (CHI '14). ACM, New York, NY, USA, 2927--2936. https://doi.org/10.1145/2556288.2557377

Digital Library

[27]

Richard Shay, Saranga Komanduri, Adam L. Durity, Phillip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Designing Password Policies for Strength and Usability. ACM Trans. Inf. Syst. Secur., Vol. 18, 4, Article 13 (May 2016), 34 pages. https://doi.org/10.1145/2891411

Digital Library

[28]

Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter. In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems. ACM, 3775--3786.

Digital Library

[29]

Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the 21st USENIX Security Symposium. USENIX Association.

[30]

Blase Ur, Sean M Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L Mazurek, William Melicher, and Richard Shay. 2015. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. In Proceedings of the 24th USENIX Security Symposium. USENIX.

Digital Library

[31]

Kim-Phuong L Vu, Robert W Proctor, Abhilasha Bhargav-Spantzel, Bik-Lam Belin Tai, Joshua Cook, and E Eugene Schultz. 2007. Improving password security and memorability to protect personal and organizational information. International Journal of Human-Computer Studies, Vol. 65, 8 (2007), 744--757.

Digital Library

[32]

Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices: How frequently entered paswords are re-used across websites. In Twelfth Symposium on Usable Privacy and Security SOUPS.

[33]

Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. 2010. Testing metrics for password creation policies by attacking large sets of revealed passwords. In CCS.

[34]

Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 157--173.

Cited By

Rianto RTri Untoro I(2024)Upaya peningkatan kesadaran keamanan data bagi guru Bahasa Inggris SMA di Kabupaten BantulKACANEGARA Jurnal Pengabdian pada Masyarakat10.28989/kacanegara.v7i3.21067:3(345)Online publication date: 1-Aug-2024
https://doi.org/10.28989/kacanegara.v7i3.2106
Hutchinson AMunyendo CAviv AMayer P(2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650741
Su XZhu XLi YLi YChen CEsteves-Veríssimo P(2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00049
Show More Cited By

Index Terms

Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Security services
    1. Authentication

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

October 2020

2180 pages

ISBN:9781450370899

DOI:10.1145/3372297

General Chairs:
Jay Ligatti
University of South Florida, USA
,
Xinming Ou
University of South Florida, USA
,
Program Chairs:
Jonathan Katz
University of Maryland, USA
,
Giovanni Vigna
University of California-Santa Barbara, USA

Copyright © 2020 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '20

Sponsor:

SIGSAC

CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security

November 9 - 13, 2020

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
2,809
Total Downloads

Downloads (Last 12 months)1,241
Downloads (Last 6 weeks)123

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rianto RTri Untoro I(2024)Upaya peningkatan kesadaran keamanan data bagi guru Bahasa Inggris SMA di Kabupaten BantulKACANEGARA Jurnal Pengabdian pada Masyarakat10.28989/kacanegara.v7i3.21067:3(345)Online publication date: 1-Aug-2024
https://doi.org/10.28989/kacanegara.v7i3.2106
Hutchinson AMunyendo CAviv AMayer P(2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650741
Su XZhu XLi YLi YChen CEsteves-Veríssimo P(2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
https://doi.org/10.1109/DSN58291.2024.00049
Rooney MLevy YLi WKumar A(2024)Comparing experts’ and users’ perspectives on the use of password workarounds and the risk of data breachesInformation & Computer Security10.1108/ICS-05-2024-0116Online publication date: 16-Jul-2024
https://doi.org/10.1108/ICS-05-2024-0116
Pathak RAggarwal AAiswarya RRaveendran JShukla MBanahatti VLodha S(2024)Design and Evaluation of a Password Diversifier ToolProceedings of the 14th Indian Conference on Human-Computer Interaction10.1007/978-981-97-4335-3_3(51-74)Online publication date: 3-Aug-2024
https://doi.org/10.1007/978-981-97-4335-3_3
Jiang CXu CChen K(2024)An Efficient Privacy-Preserving Scheme for Weak Password Collection in Internet of ThingsInformation Security and Cryptology10.1007/978-981-97-0945-8_23(389-393)Online publication date: 25-Feb-2024
https://doi.org/10.1007/978-981-97-0945-8_23
Gerlitz EHäring MSmith MTiefenau CKelley PKapadia A(2023)Evolution of password expiry in companiesProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632197(191-210)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632197
Nisenoff AGolla MWei MHainline JSzymanek HBraun AHildebrandt AChristensen BLangenberg DUr BCalandrino JTroncoso C(2023)A two-decade retrospective analysis of a university's vulnerability to attacks exploiting reused passwordsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620524(5127-5144)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620524
Murray HMalone D(2023)Costs and Benefits of Authentication AdviceACM Transactions on Privacy and Security10.1145/358803126:3(1-35)Online publication date: 13-May-2023
https://dl.acm.org/doi/10.1145/3588031
Amft SHöltervennhoff SHuaman NKrause ASimko LAcar YFahl SMeng WJensen CCremers CKirda E(2023)"We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623180(3138-3152)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623180
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents