Statistics on Password Re-use and Adaptive Strength for Financial Accounts

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8642)


Multiple studies have demonstrated that users select weak passwords. However, the vast majority of studies on password security uses password lists that only have passwords for one site, which means that several important questions cannot be studied. For example, how much stronger are password choices for different categories of sites? We use a dataset which we extracted from a large dump of malware records. It contains multiple accounts (and passwords) per user and thus allows us to study both password re-use and the correlation between the value of an account and the strength of the passwords for those accounts.

The first contribution of our study shows that users in our sample choose (substantially) stronger passwords for financial accounts than for low-value accounts, based on the extracted passwords as well as publicly available lists. This contribution has implications for password research, as some widely-used lists contain passwords much weaker than those used in the real world (for accounts of more than low value). In our second contribution, we measure password re-use taking account values into account. We see that although high-value passwords are stronger, they are re-used more frequently than low-value passwords – valuable passwords are identical to 21% of the remaining passwords of a user. Before our study, little was known about password re-use for different account values.


Edit Distance Financial Account Dictionary Attack Multiple Account Online Account 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bonneau, J.: Measuring password re-use empirically (February 2011),
  2. 2.
    Bonneau, J.: Guessing human-chosen secrets. PhD thesis, University of Cambridge (May 2012)Google Scholar
  3. 3.
    Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  4. 4.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Applied Cognitive Psychology 18(6), 641–651 (2004)CrossRefGoogle Scholar
  5. 5.
    Cachin, C.: Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich (1997)Google Scholar
  6. 6.
    Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: Proc. Network and Distributed Systems Security Symposium (NDSS). The Internet Society (2012)Google Scholar
  7. 7.
    Designer, S.: John the ripper,
  8. 8.
    Dhamija, R., Perrig, A.: Deja vu: A user study using images for authentication. In: Proc. 9th USENIX Security Symposium (2000)Google Scholar
  9. 9.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proc. 16th International Conference on World Wide Web (WWW 2007), pp. 657–666. ACM (2007)Google Scholar
  10. 10.
    Florencio, D., Herley, C.: Where do security policies come from? In: Symposium on Usable Privacy and Security, SOUPS (2010)Google Scholar
  11. 11.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proc. Symposium on Usable Privacy and Security, SOUPS (2006)Google Scholar
  12. 12.
    Taiabul Haque, S.M., Wright, M., Scielzo, S.: A study of user password strategy for multiple accounts. In: Proc. 3rd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 173–176 (2013)Google Scholar
  13. 13.
  14. 14.
    Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: If we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Communications of the ACM 47(4), 75 (2004)CrossRefGoogle Scholar
  16. 16.
    Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In: 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  17. 17.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: Proc. Conference on Human Factors in Computing Systems, CHI 2011 (2011)Google Scholar
  18. 18.
    Krebs, B.: Fraud Bazaar Hacked (May 2010),
  19. 19.
    Massey, J.L.: Guessing and entropy. In: IEEE International Symposium on Information Theory, p. 204 (1994)Google Scholar
  20. 20.
    Mick, J.: Inside the Mega-Hack of Bitcoin: The Full Story (June 2011),
  21. 21.
    Morris, R., Thompson, K.: Password security: A case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  22. 22.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS), pp. 364–372. ACM (2005)Google Scholar
  23. 23.
    Nurse, J.R., Creese, S., Goldsmith, M., Lamberts, K.: Trustworthy and effective communication of cybersecurity risks: A review. In: Proc. Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 60–68. IEEE (2011)Google Scholar
  24. 24.
    Riley, S.: Password security: What users know and what they actually do. Usability News 8(1) (2006)Google Scholar
  25. 25.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–132 (2001)CrossRefGoogle Scholar
  26. 26.
    Owl, S.: Microsoft market dominance (2013),
  27. 27.
    Trusteer, Inc. Detects rapid spread of new polymorphic version of zeus online banking trojan. Security Advisory (2010),
  28. 28.
    Trusteer, Inc. Reused login credentials. Security Advisory (2010),
  29. 29.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 162–175. ACM (2010)Google Scholar
  30. 30.
    Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proc. IEEE Symposium on Security and Privacy, pp. 391–405. IEEE Computer Society (2009)Google Scholar
  31. 31.
    Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proc. ACM Conference on Computer and Communications Security (CCS), pp. 176–186 (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityBochumGermany

Personalised recommendations