Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts
Author(s): Dinei Florencio, Cormac Herley, P.C. van Oorschot

Date: August 2014
Publication: 23rd USENIX Security Symposium, SEC '14
Publisher: USENIX
Source 1: http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf
Source 2: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/florencio

Abstract or Summary:
We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for portfolio management.



Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com