de Carné de Carnavalet, Xavier and Mannan, Mohammad (2014) From Very Weak to Very Strong: Analyzing Password-Strength Meters. In: Network and Distributed System Security (NDSS) Symposium 2014. (In Press)
Preview |
Text (Extended version of an NDSS2014 paper) (application/pdf)
403kBout-tech-mmcopy.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Abstract
Millions of users are exposed to password-strength meters/checkers at highly popular web services that use user- chosen passwords for authentication. Recent studies have found evidence that some meters actually guide users to choose better passwords—which is a fairly rare-bit of good news in password research. However, these meters are mostly based on ad-hoc design. At least, as we found, most vendors do not provide any explanation of their design choices, sometimes making them appear to be a black box. We analyze password meters deployed in selected popular websites, by measuring the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we report prominent characteristics of meters as deployed at popular websites. We shed light on how the server-end of some meters functions, provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even very strong. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters, and possibly make them an effective tool in the long run.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
---|---|
Item Type: | Conference or Workshop Item (Paper) |
Refereed: | Yes |
Authors: | de Carné de Carnavalet, Xavier and Mannan, Mohammad |
Journal or Publication: | Network and Distributed System Security Symposium (NDSS 2014) |
Date: | February 2014 |
ID Code: | 978049 |
Deposited By: | Mohammad Mannan |
Deposited On: | 06 Dec 2013 19:46 |
Last Modified: | 18 Jan 2018 17:45 |
Available Versions of this Item
- From Very Weak to Very Strong: Analyzing Password-Strength Meters. (deposited 06 Dec 2013 19:46) [Currently Displayed]
Repository Staff Only: item control page