Password Creation in the Presence of Blacklists
Author(s): Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean M. Segreti, Lujo Bauer

Date: February 26 2017
Publication: Proceedings of the 2017 Workshop on Usable Security (USEC '17)
Publisher: Internet Society
Source 1:
Source 2:

Abstract or Summary:
Attackers often target common passwords in guessing attacks. Some website administrators have reacted to this by making these passwords ineligible for use on their sites. While past research has shown that adding a blacklist to a password policy generally makes resulting passwords harder to guess, it is important to understand whether users go on to create significantly stronger passwords, or ones that are only marginally better. In this paper we investigate how users change the composition and strength of their passwords after a blacklisted password attempt. Additionally, we analyze differences in sentiment toward password creation based on whether a user created a blacklisted password. Our examination utilizes data collected from a previous online study evaluating various design features of a password meter through a password creation task. We analyzed 2,280 password creation sessions and found that participants who reused even a modified version of a blacklisted attempt during the task ultimately created significantly weaker passwords than those who did not attempt to use a blacklisted password. Our results also indicate that text feedback provided by a password meter mitigated this effect. Note: Additional authors not listed above: Nicolas Christin, Lorrie Faith Cranor

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016