Statistics on Password Re-use and Adaptive Strength for Financial Accounts
- 8 Citations
- 982 Downloads
Abstract
Multiple studies have demonstrated that users select weak passwords. However, the vast majority of studies on password security uses password lists that only have passwords for one site, which means that several important questions cannot be studied. For example, how much stronger are password choices for different categories of sites? We use a dataset which we extracted from a large dump of malware records. It contains multiple accounts (and passwords) per user and thus allows us to study both password re-use and the correlation between the value of an account and the strength of the passwords for those accounts.
The first contribution of our study shows that users in our sample choose (substantially) stronger passwords for financial accounts than for low-value accounts, based on the extracted passwords as well as publicly available lists. This contribution has implications for password research, as some widely-used lists contain passwords much weaker than those used in the real world (for accounts of more than low value). In our second contribution, we measure password re-use taking account values into account. We see that although high-value passwords are stronger, they are re-used more frequently than low-value passwords – valuable passwords are identical to 21% of the remaining passwords of a user. Before our study, little was known about password re-use for different account values.
Keywords
Edit Distance Financial Account Dictionary Attack Multiple Account Online AccountPreview
Unable to display preview. Download preview PDF.
References
- 1.Bonneau, J.: Measuring password re-use empirically (February 2011), http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/
- 2.Bonneau, J.: Guessing human-chosen secrets. PhD thesis, University of Cambridge (May 2012)Google Scholar
- 3.Bonneau, J.: The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
- 4.Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Applied Cognitive Psychology 18(6), 641–651 (2004)CrossRefGoogle Scholar
- 5.Cachin, C.: Entropy Measures and Unconditional Security in Cryptography. PhD thesis, ETH Zürich (1997)Google Scholar
- 6.Castelluccia, C., Dürmuth, M., Perito, D.: Adaptive password-strength meters from Markov models. In: Proc. Network and Distributed Systems Security Symposium (NDSS). The Internet Society (2012)Google Scholar
- 7.Designer, S.: John the ripper, http://www.openwall.com/john
- 8.Dhamija, R., Perrig, A.: Deja vu: A user study using images for authentication. In: Proc. 9th USENIX Security Symposium (2000)Google Scholar
- 9.Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proc. 16th International Conference on World Wide Web (WWW 2007), pp. 657–666. ACM (2007)Google Scholar
- 10.Florencio, D., Herley, C.: Where do security policies come from? In: Symposium on Usable Privacy and Security, SOUPS (2010)Google Scholar
- 11.Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proc. Symposium on Usable Privacy and Security, SOUPS (2006)Google Scholar
- 12.Taiabul Haque, S.M., Wright, M., Scielzo, S.: A study of user password strategy for multiple accounts. In: Proc. 3rd ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 173–176 (2013)Google Scholar
- 13.HashCat, http://hashcat.net/hashcat
- 14.Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: If we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 15.Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Communications of the ACM 47(4), 75 (2004)CrossRefGoogle Scholar
- 16.Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In: 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
- 17.Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: Of passwords and people: Measuring the effect of password-composition policies. In: Proc. Conference on Human Factors in Computing Systems, CHI 2011 (2011)Google Scholar
- 18.Krebs, B.: Fraud Bazaar Carders.cc Hacked (May 2010), http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/
- 19.Massey, J.L.: Guessing and entropy. In: IEEE International Symposium on Information Theory, p. 204 (1994)Google Scholar
- 20.Mick, J.: Inside the Mega-Hack of Bitcoin: The Full Story (June 2011), http://www.dailytech.com/Inside+the+MegaHack+of+Bitcoin+the+Full+Story/article21942.htm
- 21.Morris, R., Thompson, K.: Password security: A case history. Commun. ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
- 22.Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS), pp. 364–372. ACM (2005)Google Scholar
- 23.Nurse, J.R., Creese, S., Goldsmith, M., Lamberts, K.: Trustworthy and effective communication of cybersecurity risks: A review. In: Proc. Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 60–68. IEEE (2011)Google Scholar
- 24.Riley, S.: Password security: What users know and what they actually do. Usability News 8(1) (2006)Google Scholar
- 25.Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ’weakest link’ a human/computer interaction approach to usable and effective security. BT Technology Journal 19(3), 122–132 (2001)CrossRefGoogle Scholar
- 26.Owl, S.: Microsoft market dominance (2013), http://www.statowl.com/custom_microsoft_dominance.php
- 27.Trusteer, Inc. Detects rapid spread of new polymorphic version of zeus online banking trojan. Security Advisory (2010), http://www.trusteer.com/news/press-release/trusteer-detects-rapid-spread-new-polymorphic-version-zeus-online-banking-trojan
- 28.Trusteer, Inc. Reused login credentials. Security Advisory (2010), http://landing2.trusteer.com/sites/default/files/cross-logins-advisory.pdf
- 29.Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proc. 17th ACM Conference on Computer and Communications Security (CCS 2010), pp. 162–175. ACM (2010)Google Scholar
- 30.Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: Proc. IEEE Symposium on Security and Privacy, pp. 391–405. IEEE Computer Society (2009)Google Scholar
- 31.Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: Proc. ACM Conference on Computer and Communications Security (CCS), pp. 176–186 (2010)Google Scholar