Browse > Article
http://dx.doi.org/10.13089/JKIISC.2016.26.3.757

An Analysis of Password Meters for Domestic Web Sites  

Kim, KyoungHoon (Information Security Lab., Graduate School of Information, Yonsei University)
Kwon, Taekyoung (Information Security Lab., Graduate School of Information, Yonsei University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.26, no.3, 2016 , pp. 757-767 More about this Journal
Abstract
Password authentication is the representative user authentication method and particularly text-based passwords are most widely used. Unfortunately, most users select weak passwords and so many web sites provide a password meter that measures password strength to derive the users to select strong passwords. However, some metering results are not consistent and incorrect strength feedbacks are made. In this paper, we tackle these problems regarding password meters and present an improvement direction.
Keywords
Password; Password Meter; Meter Accuracy;
Citations & Related Records
연도 인용수 순위
  • Reference
1 X. de C. de Carnavalet and M. Mannan, "From Very Weak to Very Strong: Analyzing Password-Strength Meters," In Proc. of NDSS, Interent Society, 2014.
2 D.J. Gusaas ,"Password Strength Meters: Implementations and Effectiveness," In Proc. of Csci, Dec. 2015.
3 A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. F. Wang, "The Tangled Web of Password Reuse," In Proc. of NDSS, Vol. 14, pp. 23-26, Feb. 2014.
4 H. Eiji, and H. Jason I, "A Diary Study of Password Usage in Daily Life," In Proc. of SIGSCHI, ACM, pp. 2627-2630, May. 2011.
5 D. Florencio and C. Herley, "A Large-Scale Study of Web Password Habits," In Proc. of WWW, pp. 657-666, May. 2007.
6 S. Furnell, "Assessing password guidance and enforcement on leading websites," In Proc. of Computer Fraud&Security, 2011(12), pp. 10-18, Dec. 2011.
7 S. Gaw and E. W. Felten, "Password Management Strategies for Online Accounts," In Proc. of SOUPS, pp. 44-55, July. 2006.
8 P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. V. L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms," In Security and Privacy on IEEE, pp.523-537, May, 2012.
9 R. Morris and K. Thompson, "Password Security: A Case History," In Proc. of ACM, 22(11), Nov. 1979.
10 Scarfone, Karen, and M. Souppaya, "Guide to Enterprise Password Management." NIST Special Publication 800-118, 2009.
11 R. Veras, C. Collins, and J. Thorpe, "On the Semantic Patterns of Passwords and their Security Impact," In Proc. of NDSS, 2014.
12 B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor, "Helping Users Create Better Passwords," In Proc. of USENIX, 2012.
13 B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Aranor, "How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation," In Proc. of USENIX Security, 2012.
14 Stobert, Elizabeth, and Robert Biddle. "The password life cycle: user behaviour in managing passwords." In Proc. SOUPS. pp. 243-255, July. 2014.
15 B. Ur, F. Noma, J. Bees, S. M. Segreti, R. Shay, L. Bauer, N. Christin, and L. F. Cranor, ""I added '!' at the End to Make It Secure":Observing Password Creation in the Lab," In Proc. of SOUPS, pp. 123-140, July. 2015.
16 E. Serge, S. Andreas, M. Ildar, B. Konstantin, and H. Cormac, "Does my password go up to eleven?: the impact of password meters on password selection." In Proc. of the SIGCHI Conference on Human Factors in Computing Systems. ACM, pp. 2379-2388, 2013.
17 R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor, "Encountering Stronger Password Requirements: User Attitudes and Behaviros," In Proc. of SOUPS, p.2, July. 2010.
18 방송통신위원회, KISA, "패스워드 선택 및 이용 안내서," KISA 안내.해설 제2010-22호.
19 S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman, "Of Passwords and People: Measuring the Effect of Password-Composition Policies," In Proc. of CHI, pp. 2595-2604, May, 2011.
20 M. Weir, S. Aggarwal, M. Collins and H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," In Proc. of CCS, pp. 162-175, Oct. 2010.
21 Alexa website, http://www.alexa.com/topsites
22 Relative frequencies of letters in text, Wikipedia. https://en.wikipedia.org/wiki/Letter_frequency
23 Hashcat, http://hashcat.net/hashcat/
24 Leaked Password Lists, Skullsecurity. https://wiki.skullsecurity.org/index.php?title=Passwords,
25 Dropbox TechBlog, zxcvbn: realistic password strength estimation. https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation