The Password Game: Negative Externalities from Weak Password Practices
The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites.
The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.
Unable to display preview. Download preview PDF.
- 1.BugMeNot (February 2010)Google Scholar
- 2.Facebook Connect (2010), http://www.facebook.com/advertising/?connect
- 3.Windows Live Solution Center: Creating a strong password for your e-mail account (September 2010), http://windowslivehelp.com/solution.aspx?solutionid=3ca67154-2ee7-4da4-%8b95-f8aef17a71bc
- 4.Yahoo! Password Help (September 2010), http://help.yahoo.com/l/us/yahoo/abuse/password/faq.html
- 5.Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS 2010 (2010)Google Scholar
- 6.Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security). IT-Grundschutz Catalogues (2005)Google Scholar
- 7.Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)Google Scholar
- 8.Chaos Computer Club (CCC). Datenbrief (January 2010), http://www.ccc.de/datenbrief
- 9.Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)Google Scholar
- 11.Notoatmodjo, G., Thomborson, C.: Passwords and Perceptions. In: Brankovic, L., Susilo, W. (eds.) Seventh Australasian Information Security Conference (AISC 2009), Wellington, New Zealand. CRPIT, vol. 98, pp. 71–78. ACS (2009)Google Scholar
- 12.Prince, B.: Twitter Details Phishing Attacks Behind Password Reset. eWeek (January 2010)Google Scholar
- 14.Riley, S.: Password Security: What Users Know and What They Actually Do. Usability News 8(1) (2006)Google Scholar
- 15.Vance, A.: If Your Password Is 123456, Just Make It HackMe. The New York Times (January 2010)Google Scholar