Text-based passwords are the most commonly used mechanism for authenticating users to computer systems, but are often easy for attackers to compromise. To mitigate the danger of such attacks, system administrators use password-composition policies, which force newly created passwords to adhere to a set of requirements intended to make them harder to guess. Although it is generally believed that reasonable password-composition policies make passwords harder to guess, and hence more secure, research has not been able to precisely quantify the level of resistance to password guessing provided by different password-composition policies or the individual requirements of which they are comprised. Beyond their affect on the guessability of passwords, password-composition policies also affect users' behavior. For example, certain password-composition policies that lead to more-difficult-to-predict passwords may also lead users to write down their passwords more readily, reuse them across accounts, or forget them more often. Such behavior can both affect an adversary's ability to guess passwords, and raise the cost of administering a system.
This project will substantially contribute to the understanding of the effects of password-composition policies on the security and usability of text-based passwords. The results of this research will be applicable to almost all computer systems that use text-based passwords, and will allow administrators to better select suitable password-composition policies, thus rendering them less susceptible to account compromise. More specifically, this project will involve collecting sets of passwords (or data about passwords) created under different password-composition policies and data about the associated user behaviors, and analyzing them for security and usability. Sets of up to tens of thousands of passwords or statistics about them will be collected via online studies, actual field data from two institutions, and from paper-and-pencil surveys and lab studies. This data will be analyzed using several new methods, including an approach for calculating how long it would take for various state-of-the-art password-guessing tools or algorithms to guess the passwords, and a new method for approximating the entropy of passwords from smaller datasets than was previously feasible. Based on this methodology, this research will: (1) measure the guessability of passwords generated under multiple different password-composition policies more accurately than was previously possible; (2) empirically assess the usefulness of entropy approximations (a common, but questioned, measure of password strength) as a measure of password guessability by state-of-the-art password-guessing algorithms; and (3) compare the usability of and user sentiment engendered by each password-composition policy to develop a holistic understanding of the merits of policies. This will enable the development of a set of actionable guidelines for administrators that will help them select password-composition policies appropriate for their user populations and security requirements. Two graduate students will be directly involved in this research project.
Research supported by this award led to a substantially improved understanding of the methodology for conducting research on passwords. It also resulted in new, empirically backed insights and understanding of the effects of both traditional and novel password meters, password-composition policies, and password guidance on the security and usability of passwords. More specifically, our research demonstrated some of the weaknesses of using entropy-based measures for measuring the resistance of passwords to cracking and developed an efficient calculator-based approach to computing the guessability of plaintext passwords. We also examined the effectiveness of different sources of password data (including leaked passwords and passwords created during studies) at simulating the characteristics of real passwords. Using over 25,000 Carnegie Mellon passwords as a baseline, we determined that passwords created in online studies are more reliably representative of real passwords than are leaked or stolen passwords. Our investigations of password meters determined that their use during password creation reliably led to stronger passwords without impact on usability. Surprisingly, the details of the visual aspects of the meters made little difference to efficacy; on the other hand, effective meters had in common that they conveyed password strength both visually and textually and provided suggestions about how to improve the security of candidate passwords. Most effective at improving password strength were meters with a strict scoring policy. Our investigation of password-composition policies determined that policies that emphasize length requirements rather than complexity often result in passwords that are both more secure and more usable. We found little evidence to suggest that simple passphrases are a good alternative to short passwords, at least in contexts where passwords are assigned by the system rather than chosen by users. We identified specific policies that required passwords to be at least 12 characters long and had additional character-class or pattern requirements as good candidates for improving usability and security. We showed these policies were more effective than traditional strong password policies at helping users create passwords that were both strong and memorable. Finally, we studied the effects of various novel ways of guiding users through the password-creation process; we found that detailed, step-by-step guidance has the potential to help users but can also cause lower user engagement, hurting security; on the other hand, detailed, specific feedback generally helped users create strong and easy-to-use passwords. Work done under this award was recognized with publications in top conferences in security and usability, including ACM CCS, IEEE S&P, USENIX Security, and ACM CHI. Additionally, this award resulted in substantial successful outreach efforts, including disseminating results through the CMU IT organization to the InCommon federation (e.g., CMU uses a password meter developed as part of this research), a widely-viewed TED talk and briefing for Congressional staff by co-PI Cranor, and supporting other researchers in their use of our password-analysis methodology. This award also contributed to k-12, undergraduate, and graduate education by involving undergraduate and high-school students in research, involving students in course projects that used tools developed as part of this research, and teaching passwords modules in computer science enrichment programs for middle school girls and students at a local science school.