Password Creation in the Presence of Blacklists
Date: February 26 2017
Publication: Proceedings of the 2017 Workshop on Usable Security (USEC '17)
Publisher: Internet Society
Source 1: https://www.internetsociety.org/sites/default/files/usec2017_01_3_Habib_paper.pdf
Source 2: http://jessicacolnago.com/publications/Habib2017.pdf
Abstract or Summary:
Attackers often target common passwords in guessing attacks. Some website administrators have reacted to this by making these passwords ineligible for use on their sites. While past research has shown that adding a blacklist to a password policy generally makes resulting passwords harder to guess, it is important to understand whether users go on to create significantly stronger passwords, or ones that are only marginally better. In this paper we investigate how users change the composition and strength of their passwords after a blacklisted password attempt. Additionally, we analyze differences in sentiment toward password creation based on whether a user created a blacklisted password. Our examination utilizes data collected from a previous online study evaluating various design features of a password meter through a password creation task. We analyzed 2,280 password creation sessions and found that participants who reused even a modified version of a blacklisted attempt during the task ultimately created significantly weaker passwords than those who did not attempt to use a blacklisted password. Our results also indicate that text feedback provided by a password meter mitigated this effect.
PasswordResearch.com Note: Additional authors not listed above: Nicolas Christin, Lorrie Faith Cranor
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.