40th Meeting

  • Speaker: Blase Ur (CMU)
  • Date: February 1st, 2013 (Friday)
  • Room: CIT 368
  • Title: Helping Users Create Better Passwords
  • Abstract:

Despite countless proposed password replacements, text passwords are not about to disappear. Our group has been investigating how to help users create passwords that are both memorable and secure. In this talk, I will discuss a recent study of how password-strength meters affect password security and usability, as well as ongoing work investigating deeper patterns in the way humans craft passwords.

Many web sites have deployed password meters that provide visual feedback on password strength. The first part of my talk will discuss results from a large-scale study on these meters’ effects. We had 2,931 subjects create passwords in the presence of 14 password meters, and we found that meters with a variety of visual appearances led users to create longer passwords. However, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently. Password meters also affected the act of password creation, causing users to spend longer on the process and to be more likely to change their password during creation.

The second part of my talk will discuss ongoing work on deeper structural properties of passwords. Using both leaked sets of real passwords and experimental datasets from past work, we have been examining passwords from a linguistic perspective. We have found evidence that, after splitting passwords into separate “chunks,” one can often guess the next chunk from its predecessor. Labeling each chunk with its part of speech, we have discovered a disproportionately high use of nouns and little variety in adjectives. We have also analyzed password creation, finding that users forced to comply with a password-composition policy often modify passwords in predictable ways, and that users can be urged successfully to add particular character classes during pauses in creation. We propose future directions both for improving password cracking and for helping users create better passwords.

Blase Ur is a second-year PhD student at Carnegie Mellon advised by Lorrie Cranor, where he is working on usable security and privacy. For more information, visit his website: www.blaseur.com