The Password Game: Negative Externalities from Weak Password Practices

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6442)


The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites.

The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.


Nash Equilibrium Negative Externality News Site Graphical Password Password Protection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    BugMeNot (February 2010)Google Scholar
  2. 2.
  3. 3.
    Windows Live Solution Center: Creating a strong password for your e-mail account (September 2010),
  4. 4.
    Yahoo! Password Help (September 2010),
  5. 5.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS 2010 (2010)Google Scholar
  6. 6.
    Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security). IT-Grundschutz Catalogues (2005)Google Scholar
  7. 7.
    Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)Google Scholar
  8. 8.
    Chaos Computer Club (CCC). Datenbrief (January 2010),
  9. 9.
    Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)Google Scholar
  10. 10.
    Gaw, S., Felten, E.W.: Password Management Strategies for Online Accounts. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 44–55. ACM, New York (2006)CrossRefGoogle Scholar
  11. 11.
    Notoatmodjo, G., Thomborson, C.: Passwords and Perceptions. In: Brankovic, L., Susilo, W. (eds.) Seventh Australasian Information Security Conference (AISC 2009), Wellington, New Zealand. CRPIT, vol. 98, pp. 71–78. ACS (2009)Google Scholar
  12. 12.
    Prince, B.: Twitter Details Phishing Attacks Behind Password Reset. eWeek (January 2010)Google Scholar
  13. 13.
    Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, New York (2006)CrossRefGoogle Scholar
  14. 14.
    Riley, S.: Password Security: What Users Know and What They Actually Do. Usability News 8(1) (2006)Google Scholar
  15. 15.
    Vance, A.: If Your Password Is 123456, Just Make It HackMe. The New York Times (January 2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations