From Very Weak to Very Strong: Analyzing Password-Strength Meters

Carnavalet, Xavier de Carné de; Mannan, Mohammad

doi:10.14722/ndss.2014.23268

Cited by 98 publications

(56 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The same observations were reported by de Carné de Carnavalet and Mannan in their work [3], in which they examined 13 PPCs deployed at 11 widely-used web services.…”

Section: Related Worksupporting

confidence: 74%

“…Using purely client-side Web-based technologies, we implemented one possible PSV design as an open-source software tool on a 2-D animated canvas. We followed some educational principles to design and 3 In principle, a PSM algorithm can return more than one value each representing a different aspect of the password strength. Such algorithms are however very rare.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

Abstract. This paper presents the Password Security Visualizer (PSV), an interactive visualization system specifically designed for password security education. PSV can be seen as a reconfigurable "box" containing different proactive password checkers (PPCs) and visualizers of password security information, allowing it to be used like a "many in one" or "hybrid" PPC. PSV can provide many new features that do not exist in traditional PPCs, thus having a greater potential to achieve its goals of educating users. Using purely client-side Web-based technologies, we implemented a prototype of PSV as an open-source software tool on a 2-D animated canvas. To evaluate the actual performance of our implemented PSV prototype against traditional PPCs, we conducted a semistructured interview involving 20 human participants. Our qualitative analysis of the results showed that PSV was considered the most informative and recommended by most participants as a good educational tool. To the best of our knowledge, PSV is the first system combining different PPCs together for user education, and the user study is the first of this kind on comparing educational effectiveness of different PPCs (and PPC-like password security tools such as PSV).

show abstract

“…The same observations were reported by de Carné de Carnavalet and Mannan in their work [3], in which they examined 13 PPCs deployed at 11 widely-used web services.…”

Section: Related Worksupporting

confidence: 74%

Section: Introductionmentioning

confidence: 99%

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

show abstract

“…Historically, the strength of passwords against guessing attacks has been assessed by using password crackers to find weak passwords [42]. Recently much more precise techniques have been developed [8], [50], [13], [18], [22].…”

Section: Related Workmentioning

confidence: 99%

Who Are You? A Statistical Approach to Measuring User Authenticity

Jain

Freeman²,

Biggio

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

136

View full text Add to dashboard Cite

Abstract-Passwords are used for user authentication by almost every Internet service today, despite a number of wellknown weaknesses. Numerous attempts to replace passwords have failed, in part because changing users' behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, and time of day. For the suspicious attempts, the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular:(i) We develop a statistical framework for identifying suspicious login attempts. (ii) We develop a fully functional prototype implementation that can be evaluated efficiently on large datasets. (iii) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users. (iv) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself.

show abstract

“…In analysis of real programs, these constraints could be much more complex. For instance, the targeted password could have additional strength requirements imposed [24] or the guess could be computed using automated rules by a tool [49]. Encoding such constraints may yield a complex set of constraints in the analysis.…”

Section: Introductionmentioning

confidence: 99%

“…We demonstrate the use of SMC to quantify the sensitive information leaked in several UNIX utilities when they operate on encrypted data as proposed in a recent work [46]. As a final case study, we use SMC to quantitatively compare the strength of three password meters in real-world websites -Ebay, Drupal and Microsoft, and measure their efficacy in preventing passwords that are known dictionary words [24].…”

Section: Introductionmentioning

confidence: 99%

A model counter for constraints over unbounded strings

et al. 2014

View full text Add to dashboard Cite

Model counting is the problem of determining the number of solutions that satisfy a given set of constraints. Model counting has numerous applications in the quantitative analyses of program execution time, information flow, combinatorial circuit designs as well as probabilistic reasoning. We present a new approach to model counting for structured data types, specifically strings in this work. The key ingredient is a new technique that leverages generating functions as a basic primitive for combinatorial counting. Our tool SMC which embodies this approach can model count for constraints specified in an expressive string language efficiently and precisely, thereby outperforming previous finite-size analysis tools. SMC is expressive enough to model constraints arising in realworld JavaScript applications and UNIX C utilities. We demonstrate the practical feasibility of performing quantitative analyses arising in security applications, such as determining the comparative strengths of password strength meters and determining the information leakage via side channels.

show abstract

From Very Weak to Very Strong: Analyzing Password-Strength Meters

Cited by 98 publications

References 18 publications

PSV (Password Security Visualizer): From Password Checking to User Education

PSV (Password Security Visualizer): From Password Checking to User Education

Who Are You? A Statistical Approach to Measuring User Authenticity

A model counter for constraints over unbounded strings

Contact Info

Product

Resources

About