research-article

Free Access

Passwords and the evolution of imperfect authentication

Authors:
Joseph Bonneau

Stanford University, Stanford, CA

Stanford University, Stanford, CA
View Profile

,
Cormac Herley

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

,
Paul C. van Oorschot

Carleton University, Ottawa, Ontario, Canada

Carleton University, Ottawa, Ontario, Canada
View Profile

,
Frank Stajano

University of Cambridge, Cambridge, U.K.

University of Cambridge, Cambridge, U.K.
View Profile

Authors Info & Claims

Communications of the ACM Volume 58 Issue 7July 2015pp 78–87https://doi.org/10.1145/2699390

Published:25 June 2015Publication History

Communications of the ACM

Abstract

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.

References

Adams, A. and Sasse, M. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 41--46. Google ScholarDigital Library
Anderson, R., Bond, M., and Murdoch, S.J. Chip and spin. Computer Security Journal 22, 2 (2006), 1--6.Google Scholar
Beautement, A., Sasse, M.A., and Wonham, M. The compliance budget: Managing security behaviour in organisations. In Proceedings of the New Security Paradigms Workshop (Lake Tahoe, CA, 2008). Google ScholarDigital Library
Biddle, R., Chiasson, S., and van Oorschot, P.C. Graphical passwords: Learning from the first 12 years. ACM Computing Surveys 44, 4 (Aug. 2012), article 19:1--41. Google ScholarDigital Library
Bonneau, J. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
Bonneau, J., Herley, C., van Oorschot, P.C., and Stajano, F. The quest to replace passwords: A framework for comparative evaluation of Web authentication schemes. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
Bonneau, J. and Preibusch, S. The password thicket: Technical and market failures in human authentication on the Web. In Proceedings of the Workshop on the Economics of Information Security (Arlington, VA, June 14--15, 2010).Google Scholar
Burr, W.E., Dodson, D.F., Newton, E.M., Perlner, R.A., Polk, W.T., Gupta, S., and Nabbus, E.A. Electronic Authentication Guideline. National Institute of Standards and Technology S.P. 800-63-2, Gaithersburg, MD, 2013.Google ScholarCross Ref
Cheswick, W.R. Rethinking passwords. Commun. ACM 56, 2 (Feb. 2013), 40--44. Google ScholarDigital Library
Das, A., Bonneau, J., Caesar, M., Borisov, N., and Wang, X. The tangled web of password reuse. In Proceedings of the Network and Distributed System Security Symposium (San Diego, CA, Feb. 23--26). Internet Society, Reston, VA, 2014.Google ScholarCross Ref
De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and I know it's you!: Implicit authentication based on touchscreen patterns. In Proceedings of the ACM CHI Conference (Austin, TX, May 5--10). ACM Press, New York, 2012. Google ScholarDigital Library
Egelman, A., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of the ACM CHI Conference (Paris, France, Apr. 27--May 2). ACM Press, New York, 2013. Google ScholarDigital Library
Florêncio, D., Herley, C., and van Oorschot, P.C. An administrator's guide to Internet password research. In Proceedings of the 28^th Large Installation System Administration Conference (Seattle, WA, Nov. 9--14). USENIX Association, Berkeley, CA, 2014. Google ScholarDigital Library
Florêncio, D. and Herley, C. A large-scale study of Web password habits. In Proceedings of the 16^th International Conference on the World Wide Web (Banff, Alberta, Canada, May 8--12, 2007). Google ScholarDigital Library
Florêncio, D. and Herley, C. Where do security policies come from? In Proceedings of the ACM Symposium On Usable Privacy and Security (Redmond, WA, July 14--16). ACM Press, New York, 2010. Google ScholarDigital Library
Garera, S., Provos, N., Chew, M., and Rubin, A.D. A framework for detection and measurement of phishing attacks. In Proceedings of the Fifth ACM Workshop on Recurring Malcode (Alexandria, VA). ACM Press, New York, 2007. Google ScholarDigital Library
Grosse, E. and Upadhyay, M. Authentication at scale. IEEE Security & Privacy Magazine 11 (2013), 15--22. Google ScholarDigital Library
Hearn, M. An update on our war against account hijackers. Google Security Team blog, Feb. 2013.Google Scholar
Herley, C. So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the ACM New Security Paradigms Workshop (Oxford, U.K., Sept. 8--11). ACM Press, New York, 2009. Google ScholarDigital Library
Herley, C. and van Oorschot, P.C. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy 10, 1 (2012), 28--36. Google ScholarDigital Library
Jakobsson, M., Shi, E., Golle, P., and Chow, R. Implicit authentication for mobile devices. In Proceedings of the Fourth USENIX Workshop on Hot Topics in Security (Montreal, Canada, Aug. 11). USENIX Association, Berkeley, CA, 2009. Google ScholarDigital Library
Karlof, C., Tygar, J.D., and Wagner, D. Conditioned-safe ceremonies and a user study of an application to Web authentication. In Proceedings of the 16^th Annual Network and Distributed System Security Symposium (San Diego, CA, Feb. 8--11). Internet Society, Reston, VA, 2009.Google ScholarDigital Library
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, CA, May 20--23). IEEE Press, 2012. Google ScholarDigital Library
Klein, D. Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the Second USENIX Security Workshop. USENIX Association, Berkeley, CA, 1990.Google Scholar
Massey, J.L. Guessing and entropy. In Proceedings of the 1994 IEEE International Symposium on Information Theory (June 27--July 1). IEEE Press, 1994, 204.Google ScholarCross Ref
Morris, R. and Thompson, K. Password security: A case history. Commun. ACM 22, 11 (1979), 594--597. Google ScholarDigital Library
M'Raihi, D., Machani, S., Pei, M., and Rydell, J. TOTP: Time-Based One-Time Password Algorithm, RFC 6238. The Internet Engineering Task Force, Fremont, CA, May 2011.Google Scholar
Muir, J.A. and van Oorschot, P.C. Internet geolocation: Evasion and counterevasion. ACM Computer Surveys 42, 1 (Dec. 2009), 4:1--13. Google ScholarDigital Library
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. Cookieless monster: Exploring the ecosystem of Web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (Berkeley, CA, May 19--22). IEEE Press, 2013. Google ScholarDigital Library
Norman, D.A. The way I see it: When security gets in the way. Interactions 16, 6 (Nov. 2009), 60--63. Google ScholarDigital Library
Oechslin, P. Making a faster cryptanalytic time-memory trade-off. In Proceedings of the 23^rd Annual International Advances in Cryptology (Santa Barbara, CA, Aug. 17--21), Springer, 2003.Google ScholarCross Ref
Pliam, J.O. On the incomparability of entropy and marginal guesswork in brute-force attacks. In Proceedings of INDOCRYPT: The First International Conference on Cryptology in India (Calcutta, India, Dec. 10--13). Springer, 2000. Google ScholarDigital Library
Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. Progressive authentication: Deciding when to authenticate on mobile phones. In Proceedings of the 21^st USENIX Security Symposium (Bellevue, WA, Aug. 8--10). USENIX Society, Berkeley, CA, 2012. Google ScholarDigital Library
Schechter, S., Herley, C., and Mitzenmacher, M. Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the Fifth USENIX Workshop on Hot Topics in Security (Washington, D.C., Aug. 10). USENIX Society, Berkeley, CA, 2010. Google ScholarDigital Library
Spafford, E. Observations on reusable password choices. In Proceedings of the USENIX Security Workshop. USENIX Society, Berkeley, CA, 1992.Google Scholar
Stajano, F. Pico: No more passwords! In Proceedings of the 19^th International Security Protocols Workshop Lecture Notes in Computer Science 7114 (Cambridge, U.K., Mar. 28--30). Springer, 2011. Google ScholarDigital Library
Ur, B., Kelley, P.G., Komanduri, S., Lee, J., Maass, M., Mazurek, M.L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L.F. How does your password measure up? The effect of strength meters on password creation. In Proceedings of the USENIX Security Symposium (Bellevue, WA, Aug. 8--10). USENIX Society, Berkeley, CA, 2012. Google ScholarDigital Library
U.S. Department of Defense. Password Management Guideline. Technical Report CSC-STD-002-85. Washington, D.C., 1985.Google Scholar
U.S. National Institute of Standards and Technology. Password Usage. Federal Information Processing Standards Publication 112. Gaithersburg, MD, May 1985.Google Scholar
Weir, M., Aggarwal, S., Collins, M., and Stern, H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (Chicago, IL, Oct. 4--8). ACM Press, New York, 2010. Google ScholarDigital Library
Williamson, G.D. Enhanced authentication in online banking. Journal of Economic Crime Management 4, 2 (2006).Google Scholar
Yan, J., Blackwell, A., Anderson, R., and Grant, A. Password memorability and security: Empirical results. IEEE Security & Privacy 2, 5 (2004), 25--31. Google ScholarDigital Library
Zhang, Y., Monrose, F., and Reiter, M. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (Chicago, IL, Oct. 4--8). ACM Press, New York, 2010. Google ScholarDigital Library

Index Terms

Passwords and the evolution of imperfect authentication

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Communications of the ACM Volume 58, Issue 7
July 2015
102 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/2797100
Editor:
Moshe Y. Vardi
Association for Computing Machinery, New York, NY
Issue’s Table of Contents
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 June 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
- Popular
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 175
  Total Citations
  View Citations
- 4,084
  Total Downloads
- Downloads (Last 12 months)408
- Downloads (Last 6 weeks)157
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Passwords and the evolution of imperfect authentication

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Passwords: Stunning Password Notebook/ Logbook/ Journal/ paperback/ 50 pages/ bright white paper (5 in. x 8 in.) beautiful glossy cover (Volume 2)

Passwords: Stunning Notebook Journal for your Passwords, Usernames and URLs/ 5in. x 8in./ Sturdy softback glossy cover/ 50 white pages (Volume 1)

Passwords: Subtitle Notebook Journal for Your Passwords, Usernames and Urls/ 5in. X 8in./ Sturdy Softback Glossy Cover/ 50 White Pages. (Volume 4)

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

HTML Format

Caption

Passwords and the evolution of imperfect authentication

Communications of the ACM

Abstract

References

Cited By

Index Terms

Recommendations

Passwords: Stunning Password Notebook/ Logbook/ Journal/ paperback/ 50 pages/ bright white paper (5 in. x 8 in.) beautiful glossy cover (Volume 2)

Passwords: Stunning Notebook Journal for your Passwords, Usernames and URLs/ 5in. x 8in./ Sturdy softback glossy cover/ 50 white pages (Volume 1)

Passwords: Subtitle Notebook Journal for Your Passwords, Usernames and Urls/ 5in. X 8in./ Sturdy Softback Glossy Cover/ 50 White Pages. (Volume 4)

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

HTML Format

Share this Publication link

Share on Social Media