Many security problems arise at the interface between computer systems and their users. One set of such problems relates to authentication and text-based passwords, which despite numerous shortcomings and attacks remain the dominant authentication method in computer systems. Our research has contributed substantially to understanding the strategies used by actual users as they create passwords, what makes passwords strong or weak, as well as how to accurately measure password strength against real-world attacks.
To combat both the inherent and user-induced weaknesses of text-based passwords, administrators and organizations typically institute a series of rules – a password policy – to which users must adhere when choosing a password. There is consensus in the literature that a properly-written password policy can provide an organization with increased security. There is, however, less accord in describing just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. There is little published empirical research that studies the strategies used by actual users under various password policies. In addition, some password policies, while resulting in stronger passwords, may make those passwords difficult to remember or type. This may cause users to engage in a variety of behaviors that might compromise the security of passwords, such as writing them down, reusing passwords across different accounts, or sharing passwords with friends. Other undesirable side effects of particular password policies may include frequently forgotten passwords. In fact, the harm caused by users following an onerously restrictive password policy may be greater than the harm prevented by that policy.
In this project, we seek to advance understanding of the factors that make creating and following password policies difficult, collect empirical data on password strength and memorability under various password policies, and devise password policies and mechanisms to simultaneously maximize the security and usability of passwords. We also explore how to accurately measure password strength and usability, how to efficiently crack passwords, and in general how to carry out ecologically valid experiments about passwords.
Test out your password knowledge by playing the Password Game based on our research.
Our free Password Guessability Service estimates plaintext passwords' guessability: how many guesses a particular password-cracking algorithm with particular training data would take to guess a password.
W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, L. Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. USENIX Security, August 10-12, 2016, Austin, TX.
W. Melicher, D. Kurilova, S. Segreti, P. Kalvani, R. Shay, B. Ur, L. Bauer, N. Christin, L. F. Cranor, and M. L. Mazurek. Usability and security of text passwords on mobile devices. CHI'16.
B. Ur, J. Bees, S. Segreti, L. Bauer, N. Christin, and L. F. Cranor. CHI'16. Do users' perceptions of password security match reality? CHI 2016 Honorable Mention. [video teaser, online game]
S. Komanduri. Modeling the Adversary to Evaluate Password Strength with Limited Samples, PhD Thesis (COS), February 2016.
B. Ur, S. Segreti, L. Bauer, N. Christin, L. Cranor, S. Komanduri, D. Kurilova, M. Mazurek, W. Melicher and R. Shay. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. USENIX Security Symposium 2015. [1-minute lightning talk video]
B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, L Cranor. "I Added '!' At The End To Make It Secure": Observing Password Creation in the Lab. SOUPS2015.
R. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W. Melicher, S. Segreti, and B. Ur. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015.
Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, Marios Savvides.Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. USEC 2015, February 8, 2015.