Richard Shay
Lujo Bauer
Nicolas Christin
Lorrie Faith Cranor
Blase Ur
ABSTRACT
Users often struggle to create passwords under strict requirements. To make this process easier, some providers present real-time feedback during password creation, indicating which requirements are not yet met. Other providers guide users through a multi-step password-creation process. Our 6,435-participant online study examines how feedback and guidance affect password security and usability. We find that real-time password-creation feedback can help users create strong passwords with fewer errors. We also find that although guiding participants through a three-step password-creation process can make creation easier, it may result in weaker passwords. Our results suggest that service providers should present password requirements with feedback to increase usability. However, the presentation of feedback and guidance must be carefully considered, since identical requirements can have different security and usability effects depending on presentation.
- Brantz, T., and Franz, A. The Google Web 1T 5-gram corpus. Tech. Rep. LDC2006T13, Linguistic Data Consortium, 2006.Google Scholar
- Chiasson, S., Forget, A., Stobert, E., Biddle, R., and P.C. van Oorschot. Multiple password interference in text and click-based graphical passwords. In CCS (2009). Google ScholarDigital Library
- Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven?: The impact of password meters on password selection. In CHI (2013). Google ScholarDigital Library
- Fahl, S., Harbach, M., Acar, Y., and Smith, M. On the ecological validity of a password study. In SOUPS (2013). Google ScholarDigital Library
- Forget, A., Chiasson, S., van Oorschot, P. C., and Biddle, R. Improving text passwords through persuasion. In SOUPS (2008). Google ScholarDigital Library
- Furnell, S. An assessment of website password practices. Computers & Security 26, 7 (2007), 445--451. Google ScholarDigital Library
- Furnell, S. Assessing password guidance and enforcement on leading websites. Computer Fraud & Security 2011, 12 (2011), 10--18.Google ScholarCross Ref
- Furnell, S., and Bär, N. Essential lessons still not learned? Examining the password practices of end-users and service providers. In Human Aspects of Information Security, Privacy, and Trust (2013), 217--225.Google ScholarCross Ref
- Kelley, P. G., Komanduri, S., Mazurek, M. L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In IEEE SP (2012). Google ScholarDigital Library
- Kerby, D. S. The simple difference formula: An approach to teaching nonparametric correlation. In Innovative Teaching. 2014.Google Scholar
- Mazurek, M. L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L. F., Kelley, P. G., Shay, R., and Ur, B. Measuring password guessability for an entire university. In CCS (2013). Google ScholarDigital Library
- Moshfeghian, S., and Ryu, Y. S. A passport to password best practices. Ergonomics in Design: The Quarterly of Human Factors Applications 20, 2 (2012), 23--29.Google ScholarCross Ref
- Schneier, B. Myspace passwords aren't so dumb. http://www.wired.com/politics/security/ commentary/securitymatters/2006/12/72300, 2006.Google Scholar
- Shay, R., Ion, I., Reeder, R. W., and Consolvo, S. "My religious aunt asked why I was trying to sell her viagra": Experiences with account hijacking. In CHI (2014). Google ScholarDigital Library
- Shay, R., Komanduri, S., Durity, A. L., Huh, P. S., Mazurek, M. L., Segreti, S. M., Ur, B., Bauer, L., Christin, N., and Cranor, L. F. Can long passwords be secure and usable? In CHI (2014). Google ScholarDigital Library
- Shay, R., Komanduri, S., Kelley, P. G., Leon, P. G., Mazurek, M. L., Bauer, L., Christin, N., and Cranor, L. F. Encountering stronger password requirements: user attitudes and behaviors. In SOUPS (2010). Google ScholarDigital Library
- Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? The effect of strength meters on password creation. In USENIX Security (2012). Google ScholarDigital Library
- Vance, A. If your password is 123456, just make it HackMe. The New York Times, http://www.nytimes. com/2010/01/21/technology/21password.html, January 2010.Google Scholar
- Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In CCS (2010). Google ScholarDigital Library
- Weir, M., Aggarwal, S., de Medeiros, B., and Glodek, B. Password cracking using probabilistic context-free grammars. In IEEE SP (2009). Google ScholarDigital Library
Index Terms
- A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior
Recommendations
Designing Password Policies for Strength and Usability
Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make ...
Can long passwords be secure and usable?
CHI '14: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsTo encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has ...
Usability and Security of Text Passwords on Mobile Devices
CHI '16: Proceedings of the 2016 CHI Conference on Human Factors in Computing SystemsRecent research has improved our understanding of how to create strong, memorable text passwords. However, this research has generally been in the context of desktops and laptops, while users are increasingly creating and entering passwords on mobile ...
Comments