Design and Evaluation of a Data-Driven Password Meter

Privacy and Security

Article Snapshot

Author(s)

Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher and Blase Ur

Source

Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 3775-3786, May 6–11, 2017

Summary

Password meters, which measure the strength of computer users’ passwords, are not always accurate or helpful. This paper describes a meter that measures strength accurately and gives users detailed feedback on how to improve their password.

Policy Relevance

Users given detailed feedback can create more secure passwords.

Main Points

  • Password meters tell users if their password is “weak” or “fair” but do not tell them how to improve it.
     
    • Requiring users to include certain types of characters is sometimes helpful.
       
    • Most meters measure strength by considering the password’s length and the different types of characters used, but this does not always accurately measure strength.
       
  • This paper describes a password meter that combines neural networks and other methods to assess the strength of passwords and offer detailed feedback on how to improve it.
     
    • The meter relies on work using neural networks to model a password-guessing attack.
       
    • The meter considers many other factors, such as the use of common words, or the placement of digits and uppercase characters in expected locations.
       
  • The meter offers detailed feedback, such as “Don’t use dictionary words” and “Capitalize a letter in the middle,” and suggests an improved version of the password.
     
  • A study of 4,509 online computer users found that the meter encouraged users to create stronger passwords that were still memorable.
     
    • 78.2% of participants were later able to recall their passwords from memory.
       
    • 31.5% said they learned something new from the feedback, such as not to base passwords on user names.
       
  • The password meter had least impact on users asked to create especially long, complex passwords.
     
  • The code for the password meter has been released as an open source venture.
     

 

Get The Article

Find the full article online

Search for Full Article

Share