ABSTRACT
We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics are correlated with stronger policies. Our results are surprising: greater security demands do not appear to be a factor. The size of the site, the number of users, the value of the assets protected and the frequency of attacks show no correlation with strength. In fact we find the reverse: some of the largest, most attacked sites with greatest assets allow relatively weak passwords. Instead, we find that those sites that accept advertising, purchase sponsored links and where the user has a choice show strong inverse correlation with strength.
We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement.
- http://www.internetworldstats.com.Google Scholar
- http://www.worldmapper.org/display.php?selected=336.Google Scholar
- http://www.openwall.com/john/.Google Scholar
- Regulation E of the Federal Reserve Board. http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=0283a311c8b13f29f284816d4dc5aeb7&rgn=div9&view=text&node=12:2.0.1.1.6.0.3.19.14&idno=12.Google Scholar
- The Fidelity Customer Protection Guarantee. http://personal.fidelity.com/accounts/services/findanswer/content/security.shtml.cvsr?refpr=custopq11.Google Scholar
- Wells Fargo: Online Security Guarantee. https://www.wellsfargo.com/privacy_security/online/guarantee.Google Scholar
- Wired: Weak Password Brings 'Happiness' to Twitter Hacker. http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html.Google Scholar
- Department of Defense Password Management Guideline. Technical Report CSC-STD-002-85, U.S. Dept. of Defense, Computer Security Center, 1985.Google Scholar
- A. Acquisti and R. Gross. Predicting Social Security Numbers from Public Data. Proc. Natl. Acad. Science, 2009.Google ScholarCross Ref
- A. Beautement, M. A. Sasse and M. Wonham. The Compliance Budget: Managing Security Behaviour in Organisations. NSPW, 2008. Google ScholarDigital Library
- A. Adams and M. A. Sasse. Users Are Not the Enemy. Commun. ACM, 42(12), 1999. Google ScholarDigital Library
- Avira TechBlog. The Most Phished Brands of 2009. http://techblog.avira.com/2009/12/19/the-most-phished-brands-of-2009/en/.Google Scholar
- C. Herley, P. C. van Oorschot and A. S. Patrick. Passwords: If We're So Smart Why Are We Still Using Them? Proc. Financial Crypto 2009. Google ScholarDigital Library
- D. A. Norman. The Way I See It: When security gets in the way. Interactions, 16(6):60--63, 2009. Google ScholarDigital Library
- E. Zwicky. Brute Force and Ignorance.; login, April 2010.Google Scholar
- E. H. Spafford. Security Myths and Passwords. http://www.cerias.purdue.edu/site/blog/post/password-change-myths/.Google Scholar
- Federal Financial Institutions Examination Council. Top 50 Bank Holding Companies 2009. http://www.ffiec.gov/nicpubweb/nicweb/Top50form.aspx.Google Scholar
- D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. WWW 2007, Banff. Google ScholarDigital Library
- D. Florêncio and C. Herley. Stopping Phishing Attacks Even when the Victims Ignore Warnings. MSR Tech. Report, 2005.Google Scholar
- D. Florêncio and C. Herley. KLASSP: Entering Passwords on a Spyware Infected Machine. ACSAC, 2006.Google Scholar
- D. Florêncio, C. Herley, and B. Coskun. Do Strong Web Passwords Accomplish Anything? Proc. Usenix Hot Topics in Security, 2007. Google ScholarDigital Library
- N. Haller. The S/KEY One-Time Password System. Proc. ISOC Symposium on Network and Distributed System Security, 1994.Google Scholar
- C. Herley. So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. NSPW 2009, Oxford. Google ScholarDigital Library
- C. Herley and D. Florêncio. A Profitless Endeavor: Phishing as Tragedy of the Commons. NSPW 2008, Lake Tahoe, CA. Google ScholarDigital Library
- C. Herley and D. Florêncio. Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. WEIS 2009, London.Google Scholar
- K. Hole, V. Moen, and T. Tjostheim. Case Study: Online Banking Security. In IEEE Security and Privacy, pages 14--20, 2006. Google ScholarDigital Library
- I. Jermyn and A. Mayer and F. Monrose and M. K. Reiter and A. D. Rubin. The Design and Analysis of Graphical Passwords. In Usenix Security, 1999. Google ScholarDigital Library
- Imperva. Consumer Password Worst Practices.Google Scholar
- J. Bonneau and S. Preibusch. The Password Thicket: technical and Market Failures in Human Authentication on the Web. WEIS, 2010.Google Scholar
- J. Franklin and V. Paxson and A. Perrig and S. Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proc. CCS, 2007. Google ScholarDigital Library
- K. J. Hole and V. Moen and T. Tjostheim. Case Study: Online banking Security. IEEE Security & Privacy Magazine, 2006. Google ScholarDigital Library
- L. St. Clair and L. Johansen and W. Enck and M. Pirretti and P. Traynor and P. McDaniel and T. Jaeger. Password Exhaustion: Predicting the End of Password Usefulness. In Proc. of 2nd Intl Conf. on Information Systems Security (ICISS), 2006. Google ScholarDigital Library
- M. Mannan and P. C. van Oorschot. Security and Usability: The Gap in Real-World Online Banking. NSPW, 2007. Google ScholarDigital Library
- M. A. Sasse, S. Brostoff and D. Weirich. Transforming the "weakest link": a human-computer interaction approach to usable and effective security. In BT Technology Journal, 2001. Google ScholarDigital Library
- M. E. Zurko and R. T. Simon. User-Centered Security. NSPW, 1996. Google ScholarDigital Library
- P. Oechslin. Making a faster crytanalytical time-memory trade-off. Advances in Cryptology - CRYPTO 2003, 2003.Google ScholarCross Ref
- P. Inglesant and M. A. Sasse. The True Cost of Unusable Password Policies: Password use in the Wild. CHI, 2010. Google ScholarDigital Library
- P. C. van Oorschot, S. Stubblebine. On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. ACM TISSEC vol. 9 issue 3, 2006. Google ScholarDigital Library
- R. Thomas and J. Martin. The Underground Economy: Priceless. Usenix; login:, 2006.Google Scholar
- S. Bellovin. Security by Checklist. IEEE Security & Privacy Mag., 2008. Google ScholarDigital Library
- S. Gaw and E. W. Felten. Password Management Strategies for Online Accounts. Proc. SOUPS. Google ScholarDigital Library
- W. E. Burr, D. F. Dodson W. T. Polk. Electronic Authentication Guideline. In NIST Special Publication 800-63, 2006. http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf.Google Scholar
Index Terms
- Where do security policies come from?
Recommendations
Security policies for downgrading
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityA long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security ...
Comments