ACADEMIC ARTICLE SUMMARY
Design and Evaluation of a Data-Driven Password Meter
Article Source: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 3775-3786, May 6–11, 2017
Publication Date:
Time to Read: 2 minute readWritten By:
Lorrie Faith CranorTAP Scholar
Hana Habib
Blase Ur
Felicia Alfieri
Henry Dixon
Jessica Colnago
Lujo Bauer
Maung Aung
Nicolas Christin
Noah Johnson
Pardis Emami Naeini
William Melicher
ARTICLE SUMMARY
Summary:
Password meters, which measure the strength of computer users’ passwords, are not always accurate or helpful. This paper describes a meter that measures strength accurately and gives users detailed feedback on how to improve their password.
POLICY RELEVANCE
Policy Relevance:
Users given detailed feedback can create more secure passwords.
KEY TAKEAWAYS
Key Takeaways:
- Password meters tell users if their password is “weak” or “fair” but do not tell them how to improve it.
- Requiring users to include certain types of characters is sometimes helpful.
- Most meters measure strength by considering the password’s length and the different types of characters used, but this does not always accurately measure strength.
- Requiring users to include certain types of characters is sometimes helpful.
- This paper describes a password meter that combines neural networks and other methods to assess the strength of passwords and offer detailed feedback on how to improve it.
- The meter relies on work using neural networks to model a password-guessing attack.
- The meter considers many other factors, such as the use of common words, or the placement of digits and uppercase characters in expected locations.
- The meter relies on work using neural networks to model a password-guessing attack.
- The meter offers detailed feedback, such as “Don’t use dictionary words” and “Capitalize a letter in the middle,” and suggests an improved version of the password.
- A study of 4,509 online computer users found that the meter encouraged users to create stronger passwords that were still memorable.
- 78.2% of participants were later able to recall their passwords from memory.
- 31.5% said they learned something new from the feedback, such as not to base passwords on user names.
- 78.2% of participants were later able to recall their passwords from memory.
- The password meter had least impact on users asked to create especially long, complex passwords.
- The code for the password meter has been released as an open source venture.
QUOTE
TAGS
About Lorrie Faith Cranor
Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She also directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the MSIT-Privacy Engineering masters program. She teaches courses on privacy, usable security, and computers and society.
