The Password Game: Negative Externalities from Weak Password Practices

Preibusch, Sören; Bonneau, Joseph

doi:10.1007/978-3-642-17197-0_13

Sören Preibusch¹⁹ &
Joseph Bonneau¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6442))

Included in the following conference series:

International Conference on Decision and Game Theory for Security

1369 Accesses
10 Citations

Abstract

The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites.

The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

BugMeNot (February 2010)
Google Scholar
Facebook Connect (2010), http://www.facebook.com/advertising/?connect
Windows Live Solution Center: Creating a strong password for your e-mail account (September 2010), http://windowslivehelp.com/solution.aspx?solutionid=3ca67154-2ee7-4da4-%8b95-f8aef17a71bc
Yahoo! Password Help (September 2010), http://help.yahoo.com/l/us/yahoo/abuse/password/faq.html
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS 2010 (2010)
Google Scholar
Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security). IT-Grundschutz Catalogues (2005)
Google Scholar
Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)
Google Scholar
Chaos Computer Club (CCC). Datenbrief (January 2010), http://www.ccc.de/datenbrief
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)
Google Scholar
Gaw, S., Felten, E.W.: Password Management Strategies for Online Accounts. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 44–55. ACM, New York (2006)
Chapter Google Scholar
Notoatmodjo, G., Thomborson, C.: Passwords and Perceptions. In: Brankovic, L., Susilo, W. (eds.) Seventh Australasian Information Security Conference (AISC 2009), Wellington, New Zealand. CRPIT, vol. 98, pp. 71–78. ACS (2009)
Google Scholar
Prince, B.: Twitter Details Phishing Attacks Behind Password Reset. eWeek (January 2010)
Google Scholar
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, New York (2006)
Chapter Google Scholar
Riley, S.: Password Security: What Users Know and What They Actually Do. Usability News 8(1) (2006)
Google Scholar
Vance, A.: If Your Password Is 123456, Just Make It HackMe. The New York Times (January 2010)
Google Scholar

Download references

Author information

Authors and Affiliations

Computer Laboratory, University of Cambridge, Cambridge, CB3 0FD, UK
Sören Preibusch & Joseph Bonneau

Authors

Sören Preibusch
View author publications
You can also search for this author in PubMed Google Scholar
Joseph Bonneau
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Deutsche Telekom Laboratories, Technische Universität Berlin, 10587, Berlin, Germany
Tansu Alpcan
Laboratory of Cryptography and System Security (CrySyS), Budapest University of Technology and Economics, Budapest, Hungary
Levente Buttyán
Department of Electrical and Computer Engineering, University of Maryland, College Park, MD, USA
John S. Baras

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Preibusch, S., Bonneau, J. (2010). The Password Game: Negative Externalities from Weak Password Practices. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds) Decision and Game Theory for Security. GameSec 2010. Lecture Notes in Computer Science, vol 6442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17197-0_13

Download citation

DOI: https://doi.org/10.1007/978-3-642-17197-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17196-3
Online ISBN: 978-3-642-17197-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics