Passwords

The Good, The Bad and The Ugly

• Authenticate: You are what you know
• Assumption: The password is something only the user
knows
– Proves identity of the user
– Gives access to data/functionality that only the user should
be able to have
 The Good, The Bad and The Ugly
• The good
– Rely on memory only, no extra hardware/software
– Easy to change if compromised
– Universally used, requires terminal access only
• The bad
– Weak passwords, easy to guess by strangers
– Personal passwords, easy to guess by friends
– Many passwords, reuse or forget/reset
• The ugly
– Compromised passwords reused at other servers
– Compromised passwords give access to more than
just user data
 Ideal Passwords Are
• Strong
– Hard to guess by strangers and friends
• Memorable
– Easily and consistently recalled by the user
• Diverse
– Very different passwords for different sites
 Opposite Requirements
• Strong
– Look like random character strings
• Memorable
– Have some connection to user memories/values
• Diverse
– Hard to remember many strong passwords,
which are uncorrelated
 Some Other Auth Failure Causes
• Capitalization, plural, punctuation, character
replacement
– Hard to remember
• Misspelling
• Password policies are not public during auth.
• Hard to associate a password with a site
– Username too
• Making choices is easy, remembering them is hard
 How People Use Passwords*
• ½ million users over 3 months
• Instrument browser, observe
– Number of passwords/sites total and per day
– Password strength and types
– Password reuse (only able to detect substring matches)
– Recall via reset events

*“A Large-Scale Study of Web Password Habits”

Dinei Florencio and Cormac Herley, Microsoft Research, Proc. of WWW 2007
 Password Usage
• An average user has 25 password accounts
• On average 7 actively used, unique passwords
– 8 passwords typed per day, includes duplicates
• An average password is reused at 6 sites
– Strong passwords (>60 bits, 9 chars) are reused at
4.48 sites
– Weak passwords (<30 bits, 4 chars) are reused at
6 sites

Lots of need for passwords, lots of reuse

Password Strength

Policy drives password strength

Password Composition

Most passwords contain only letters

 Password Reset
• 4.28 % of Yahoo users forgot their password
over 3 month period
• 15% of visits were for password resets
• No results for other sites

Password resets are frequent

 How People Reuse Passwords*
• Collected publicly available leaked password sets
– Containing email and password
– This way authors can evaluate if one could use
credentials stolen from one site to log into another
– Without email one could mix up the above measure
with measure how many users use popular passwords
• 6,077 unique users with at least two leaked
passwords (97.75% had exactly two)
– So this study is really asking “if you have two passwords
how likely it is that they are similar/same”
*“A Tangled Web of Password Reuse”
Anupam Das et al, UIUC, Proc. of NDSS 2014
 Do People Reuse Passwords?
• Password reuse strategies
2-3 chars

Yes! Many passwords are reused with simple strategies

Attacker can try a small number of candidates to
version a compromised password into the correct one
Prominent Transformation Rules

A few trials for the attacker

 Attack Success

30% within 10 attempts

85% of non-identical passwords can be guessed

if a password at another site is leaked for the same user
 Why People Version Passwords
Ran a survey, 220 respondents

Version to comply with policy, increase security or

increase recall
How Many Different Passwords
Ran a survey, 220 respondents

Most have 2-4

 How Are Passwords Saved
Ran a survey, 220 respondents

Most are memorized

 How People Create Passwords*
• Lab study with 49 participants
– Created passwords for fictitious banking, email and
news website
– While thinking aloud
– 3 password composition policies, each user assigned to
only one of them
• 1class6: 6 characters
• 2class8: 8 characters, 2 classes
(e.g., upper and lowercase letters)
• 3class12: 12 characters, 3 classes
• Post-study interview to investigate strategies
*”I added ! at the end to make it secure”
Blasé Ur et al, CMU, Proc. of SOUPS 2014
 Password Strength

38% are guessable by dictionary attacks

 Examples of Passwords
• Guessed
– Tyrone1975
– Gandalf*8
– Triptrip1963
• Not guessed
– 5cupsoftoys
– AfNaHiLoco
– 7301Poplarblvd$

Passwords mostly not on popular password lists

 Does Value of Site Matter?
• 43% of users considered all accounts to be of
equal value
– Either reused the same password or different
password but same composition strategy
• 14% thought their news account was of low value
• 22% thought only bank account was of high value
and news and email of low value
• Remaining 20% considered all accounts of
different value (highest bank or email)
 Does Value of Site Matter?
• Users tended to create weak passwords for low-
value sites and heavily reuse them
– They were more careful about high-value sites
– Most didn’t understand why reuse is bad if password
is strong
• But they didn’t understand how to create a
strong password
– Common misconception: changing or adding a few
characters to common words makes strong password

Users assumed a human guesser

 Password Creation Strategies
• Usually same approach for all accounts
– Link to site or use user-specific words
– Then just version
– Improves memorability
• Capital letters in the beginning, numbers at the
end
• 35% of users relied on memory only to store
passwords so memorability was of high concern

Very predictable
Password Creation Strategies
Password Creation Strategies
 Password Creation Strategies
• Words chosen based on personal significance
– Names of people, pets, locations, dates
• Many passwords site-specific
• Simple transformation rules that are supposed to make
password more secure
– Attackers don’t know my pet’s name
– Attackers expect me to use my birthday, I will use my friend’s
birthday
– I don’t have this info on Facebook
– Hard-to-spell words, passphrases from books
– Don’t work against automated attacks

Users don’t expect automated attacks

 Possible Improvements
• Help users choose strong passwords
(Telepathwords, password strength meters)
• Educate users about good choosing strategies
(start with passphrase, replace some characters)
• Come up with a different way to do passwords
– Draw them
– Pick favorite picture
– Security questions
– Use memories of personal events
 Facebook Password Snafu
• Read the article at:
https://www.wired.com/story/facebook-passwords-p
laintext-change-yours
/
• What did Facebook do wrong?
• Were/are users in danger?
for

time PBL
 Comparing Subjective and Objective
Password Strategies*
• 50 USC students, half non-tech majors
• How prevalent are bad password habits?
• What influences password strength?
• User’s intent
• Risk perception
• Website importance
• Website’s password policy
• How well does users’ password practices align
with their intent?
• User survey and analysis of real passwords
• Cannot store real passwords due to privacy
*”Leveraging semantic transformation to investigate password habits and their
causes”, Hanamsagar, Woo, Kanich and Mirkovic, CHI 2018
Study Methodology
 Findings
• Users do not know what they are doing
• Bounded rationality – users do not make rational
decisions but are bounded by time, cognitive
limitations, problem complexity
• Users underestimate the number of accounts they
have: 15 vs 80
• Narrate more rational reuse strategies, not supported
by password analysis, e.g., “I do not reuse” or “I reuse
only between non-important accounts”
• Narrate different password composition policies, e.g.,
“I use random letters”, not supported by password
analysis
 Findings
• Reuse is rampant and indiscriminate

• Users value memorability

• 44% knowingly reuse because of memorability
• Users rely on memorability
• Passwords of those who use managers are not
stronger or more diverse
• Users underestimate risk
• 76% assume an online guessing attack
• 18% do not understand password reuse attacks
 Recommendations
• Tools that keep track of user password habits
• Easy to integrate this with password managers
• Identify problematic cases of reuse
(important accounts)
• Identify rarely-used accounts and help users change
their passwords to random
• Produce summaries of password hygiene
• Help users create stronger passwords
• Help users create strategies that associate
passwords with servers
 Mnemonic Passphrase (MNPass)*
• System-Generated Passphrases (SysPass): Secure but less
memorable. Also, does not scale as number of accounts increase
• User-Chosen Passphrases (Upass): Memorable but less secure
• Our Goal (MNPass): explore Memorable, Secure, Diverse, and
Usable Passphrase generation
– We hypothesize people are creative enough but just not trained to come up
with good passphrases
– Increase Memorability: By letting users choose their own instead system
assigns and also provide the first letter mnemonic
– Increase Security: By carefully generating mnemonic chars (MNChars)
constraints, where each word user chooses should contain a letter from
MNchars in order

*”Improving Recall and Security of Passphrases through Use of Mnemonics”

Simon Woo, Jelena Mirkovic, Proc of Passwords Conference 2016
 MNPass Example
Study Link

Examples
Recall is comparable to UPass
Security is comparable to SysPass
 Life-Experience Passwords (LEPs)*
• Strong passwords are easily forgotten
• Weak passwords are easily broken
• Users reuse passwords at different sites
• This holds for non-textual passwords too, plus they
are more difficult to use

memorability
guessability

* “Life-Experience Passwords (LEPs),” Simon Woo, Elsi Keiser, Ron Artstein, Jelena
Mirkovic, Proceedings of ACSAC, 2016
 Life-experience Passwords
• Use memories from a user’s past
• Collect facts – time, locations, people, activities,
conversations
– No preferences, no opinions
• Turn this into Q & A pairs
– Questions become prompts
– Answers become LEP
Life-experience Passwords
 Life-experience Passwords
CREATION AUTHENTICATION
user narrative user title user answers

title
hash
question
Factoid extraction

factoid
question answer title

hash match?

store
 Challenges
• How to collect memories, needs to be user-friendly
– “Tell me a story” vs Q & A
• How to mine for useful data
– Using natural language processing, hard in general
• How to detect weak facts
– E.g. relationships vs names, empty stories
• How to avoid use of sensitive info in LEPs
• How to deal with synonyms, misspellings, etc.
• How to store these passwords using one-way hashes
 User Studies
• Ask a user to create 10 LEPs and 10 OPs
• User returns after 1 week to authenticate
• Measure strength, memorability and guessability
• Recruit users and friends
– Users create one LEP
– Friends try to guess correct answers
LEPs Are Strong and Memorable

Comparable password strength is 53 bit and recall is around 26% and 9%

 LEPs Are Hard to Guess

Comparable security questions are guessed at 17-25%

 LEPs Are Diverse
• Less than 0.5% are the same and up to 15% are
similar
– Attacker must guess 34-48 bits to authenticate
• Around 6% of OPs are the same and up to 32% are
similar
– Attacker must guess 37 bits to authenticate
 Issues
• LEPs took 5x longer to create and authenticate
• How do we store LEPs?
– Hash per answer
• Easy to break by guessing most likely answers first
– Hash per LEP
• User must recall all facts
– Several hashes of strong combinations of facts
• No feedback to user what they missed
 Do You Reuse Passwords?
• Check if you run Python2
python --version
• Download the code from Github:
https://github.com/ameyah/browser-password-
analysis.git
• Follow README to install
for
• Close your Chrome browser
time PBL
• Run
python analysis.py