Password Composition Policies Research Articles

Priming through Persuasion: Towards Secure Password Behavior

Users tend to create weak passwords even for the important accounts. The prior research shed light on user's insecure password behavior, and why the interventions, including requirement specification (e.g., password composition policies) and feedback systems (e.g., password meters) fail in practice. To this end, we propose and evaluate the concept: priming-through-persuasion in the realm of secure password creation. In particular, we created visual designs, aimed at priming users about the repercussions of weak passwords before their password creation. We base our designs on two forms of persuasion methods: pathos and logos. Pathos appeals to people's emotion in order to persuade them towards an expected behavior, where logos-based rhetoric appeals to a person's sense of reason. We conducted a lab study including participatory design and semi-structured interview with 20 participants. We updated our designs in an iterative manner based on the feedback from our participants in the lab study. To evaluate our updated designs, we conducted a between-subject online study with 131 participants over Amazon Mechanical Turk. Our study provides insight into how the use of persuasion techniques contributed to user attachment and engagement with the design, as well as the comprehension of the conveyed message about password vulnerabilities. Our findings lead to the guideline for future research on leveraging the priming-through-persuasion to complement the existing techniques in encouraging users towards secure behavior.

PasswordTensor: Analyzing and explaining password strength using tensor decomposition

A textual password is widely used for user authentication for a variety of applications. Passwords that are easy to remember are also easy to be guessed, while complex and long passwords that provide strong security are difficult to remember. Also, there has been limited quantitative research to understand the factors that make passwords strong. In this research, we aim to expand our understanding of passwords through the lenses of data-driven analysis by characterizing a large number of password datasets with four different hypotheses. In particular, we use the tensor decomposition method that is effective in analyzing unlabeled high dimensional data. We first obtain 362,805 passwords from four different leaked password datasets. Next, we generate syntactic and semantic features for each password, then classify it into three strength groups using a statistical guessing attack model. Finally, we construct a 3rd-order password tensor and decompose it using the PARAFAC2 algorithm to examine the main characteristics which make passwords strong. Also, we apply an orthogonal constraint to the component matrix to mitigate the uniqueness problem. For the optimal rank and constraint selection, we compare three types of constraints in terms of the computational time, reconstruction ratio, and Corcondia score. With various statistical and tensor decomposition analyses, we find dominant factors that influence on a strong password. In addition, we extend our tensor decomposition-based model for strength retrieval when a new password needs to be evaluated. This strength retrieval model can estimate the strength of the new password input quickly and provide recommendations to strengthen the password. We hope that our model based on data science perspective can validate widely accepted password composition policy and suggestion methods, and further provide insights to designing better password suggestion systems and password composition policies.

Dynamically Generate Password Policy via Zipf Distribution

Password composition policies are helpful in strengthening password’s resistance against guessing attacks. Sadly, existing off-the-shelf composition policies often remain static, which creates potential security vulnerability. In this paper, we propose a new adaptive password policy generation framework called HTPG. Based on the Zipf distribution of passwords, HTPG classifies all passwords in data set into two categories, that is, head passwords and tail passwords. We find that head passwords are vulnerable and high-value for attackers because they are most frequently used, while tail passwords have higher strength than head passwords. According to this fact, HTPG dynamically generates policies to enhance head passwords by modifying them so as to be closer to tail passwords on feature space. By introducing the idea of machine learning, we propose a policy sort method based on information gain ratio to help user choose more effective policies in enhancing head passwords. HTPG can effectively improve the security of entire password data set and make the password distribution more uniform. Experiments show that the number of cracked head passwords decreases 69% on average, compared with the original head passwords, by adopting policies generated by HTPG. Surveys on usability show that 80.23% enhanced passwords can be recalled by those who remember the corresponding original passwords.

TransPCFG: Transferring the Grammars From Short Passwords to Guess Long Passwords Effectively

Long passwords are gaining popularity in password policy recommendations; however, data-driven guessing studies are woefully inadequate in adapting to long passwords, lacking in both guessing efficiency and their composition guidelines. For state-of-the-art data-driven password guessing methods such as PCFGs (Probabilistic Context-free Grammars), their guessing efficiency is limited by the presence of a large scale training data, or the lack thereof. Given that long passwords leaked in the real world are typically scarce, coupled with the fact that the data-driven methods’ performance depends on training data, obtaining good performance on long passwords has become a key challenge. To overcome the dataset limitation, we propose a framework <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> , that transfers the knowledge, (i.e., grammars in PCFGs), from short passwords to facilitate long password guessing. We further perform an empirical evaluation based on three real-world datasets and the results demonstrate superior performance over the state-of-the-art data-driven guessing methods under <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${10}^{14}$ </tex-math></inline-formula> offline guesses. For passwords with 16 characters, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">TransPCFG</i> can compromise an average of 23.30% of the passwords, outperforming PCFG_v4.1 by 56.10%. Additionally,for better password-composition guidelines, we find that long password-composition policies requiring more segments are more resistant to guessing attacks. For the segment, the password <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">12zxcvbnword1997</i> has four segments since it follows the template <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${Digit}_{2}{Keyboard}_{6}{Letter}_{4}{Year}_{4}$ </tex-math></inline-formula> . We thus recommend users to create long passwords with four or more segments instead of the widely recommended more character classes for security.

Nudging personalized password policies by understanding users’ personality

Password composition policies are used to prevent users from picking weak passwords. A website usually provides a unified password policy for each user but ignores the fact that people have a variety of preferences due to individual differences, which makes it difficult to achieve the expected strong password goals. In order to improve the effectiveness of password composition policies, we propose a dynamic personalized password policy (DPPP), which can personally recommend different password policies according to the user’s personality traits. We conduct an online study to evaluate the security and usability of DPPP and the two common password composition policies Basic8 and 3class8. The study results show that DPPP is more effective than Basic8 and 3class8 in resisting online and offline guessing attacks. DPPP is inferior to Basic8 and 3class8 only in the creation time and outperforms 3class8 in creating difficulty with significant differences.

Optiwords: A new password policy for creating memorable and strong passwords

User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to meet the strict password composition policies and to make passwords easy to remember, which in turn reduces the password strength, or write the password down, which may cause the password to be compromised. To overcome the user-generated password security and usability dilemma, we propose Optiwords, which is a new textual-password creation policy that is based on picture superiority effect, which provides users with a direct “drawing-to-text” method for creating user-friendly passwords. Optiwords helps users design separate line drawings on the keyboard as a “password figure” and choose the characters on the lines of the drawings in a certain sequence as the final textual password. A two-part user study with 127 participants was conducted to compare the usability and security of Optiwords with other three popular password policies. The results showed that there was no statistically significant difference compared Optiwords with Basic8 or 3class8 in memorability. The password strength of Optiwords outperformed Basic8 and 3class8. Compared with Random8, Optiwords had a great advantage in usability.

Pushing on string

Enterprises that impose stringent password-composition policies appear to suffer the same fate as those that do not.

Designing Password Policies for Strength and Usability

Password-composition policies are the result of service providers becoming increasingly concerned about the security of online accounts. These policies restrict the space of user-created passwords to preclude easily guessed passwords and thus make passwords more difficult for attackers to guess. However, many users struggle to create and recall their passwords under strict password-composition policies, for example, ones that require passwords to have at least eight characters with multiple character classes and a dictionary check. Recent research showed that a promising alternative was to focus policy requirements on password length instead of on complexity. In this work, we examine 15 password policies, many focusing on length requirements. In doing so, we contribute the first thorough examination of policies requiring longer passwords. We conducted two online studies with over 20,000 participants, and collected both usability and password-strength data. Our findings indicate that password strength and password usability are not necessarily inversely correlated: policies that lead to stronger passwords do not always reduce usability. We identify policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements. We also provide practical recommendations for service providers who want their users to have strong yet usable passwords.

ProActive Approach for Generating Random Passwords for Information Protection

Text based passwords are the most widely used authentication mechanism in multiuser environment. Creating strong password is often a difficult task for users. Multiuser environments employ some password composition policy for users, which require a password containing alphabets (both lowercase and uppercase), numerical digits and special symbols. These policies become obstacle for users in creating good password that satisfies the specific policy. Users favor memorability factor without considering its security against an attacker. Memorability is important because if a user forgets password then usability of the system decreases. This paper presents a ProActive random password generation technique. A random password is generated by inserting random digits and special symbols in a randomly chosen word. Generated password is checked against certain attacker approaches through ProActive analysis. If ProActive analysis results positive then password is discarded and process starts all over again. To help users in memorizing password, both how the password is generated and word used to generate the password is sent.

Impact of restrictive composition policy on user password choices

This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.