Presentation is loading. Please wait.

Presentation is loading. Please wait.

The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford.

Published byLoreen Manning Modified over 9 years ago

Similar presentations

Presentation on theme: "The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford."— Presentation transcript:

1 The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford

2 Purpose of Study A number of guidance's have been produced on how to create passwords, but no one has studied what types of passwords are better to remember Do users choose simple to remember passwords over good passwords Can users be educated to produce better passwords

3 Human Memory is Fallible Memory for sequences of items is temporally limited  Short term capacity 5-9 items (i.e. 7 digit phone numbers) Sequences must be chunked Memory thrives on redundancy

4 Common advice on password selection Passwords should be a mix of letters and numbers Passwords should not contain common words Passwords should not be written down Use random characters if possible Use random letters that sounds like a word

5 Common advice on password selection Use a pass phrase to remember the password passwords must be a minimum length Passwords must be changed on a regular interval Passwords must contain a mix of letters and numbers (system enforced)

6 Experimental Study 288 Freshman students volunteered to be part of the study, and were broken into 3 groups  Group instructed to pick random passwords by pointing at letters and writing them down  Group instructed to use pass phrases to memorize the passwords  Control group not given any instruction

7 Breakdown of Subjects Number of Users Control Group95 Random Password96 Pass Phrase97 Comparison Group100

8 Experimental Study After 1 month, various attacks were performed on their passwords to see how complex they were User requests to change passwords were monitored After 4 months, the subjects were emailed with a 2 question survey

9 Password Attacks Four attacks were applied against the passwords of the test subjects and an additional 100 comparison users  Dictionary Attack  Permutation of Words and Numbers  User Information Attack  Brute Force Attack (if passwords only 6 characters long)

10 Results - Password Length Selected Password Lengths Control Group7.6 Random Password8 Pass Phrase7.9 Comparison Group7.3

11 Results – Passwords that could be cracked Cracked Passwords Control Group30 (32%) Random Password8 (8%) Pass Phrase6 (6%) Comparison Group33 (33%)

12 Results – Brute Force Attacks Passwords cracked with brute force (6 or less characters) Control Group3 Random Password3 Pass Phrase3 Comparison Group2

13 Password Memorization The study also wanted to see how much trouble users had with remembering passwords  System Admin calls were tracked to see if users were resetting their passwords  A survey was send to users questioning them on their passwords

14 Password Survey Two question Survey  How hard did you find it to memorize your password (1 = trivial, 5 = impossible)  How long did you have to carry your password with you (in weeks), as you had not memorized it.

15 Results – System Admin calls for Password Reset System Admin Calls for Password Resets Control Group2 Random Password1 Pass Phrase3

16 Results – Number of Subjects who responded to the survey Survey Responses Control Group80 (84%) Random Password71 (74%) Pass Phrase78 (80%) Total229 (80%)

17 Results – Survey Results Difficulty to Memorize Weeks to remember Control Group1.520.7 Random Password 3.154.8 Pass Phrase1.670.6

18 Conclusions People have difficulty remembering random passwords  Some users never memorized their passwords Pass phase passwords are harder to crack Random passwords are no stronger than pass phase passwords

19 Conclusion Pass phase passwords are as easy to remember as naively selected passwords Educating users to use random or pass phase passwords does not improve security unless there is a way to enforce the policy, since 10% of users failed to comply with the request.

20 Recommendations Users should be instructed to use pass phase passwords Users should be encouraged to use 10+ character passwords Passwords should contain numbers and letters

21 Recommendations Compliance to policy should be enforced if possible Centrally assigned random passwords improve security through improved policy compliance

Download ppt "The memorability and security of passwords – some empirical results By: Jianxin Yan, Alan Blackwell, Ross Anderson, Alasdair Grant Presenter: Roy Ford."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security.
Www.durham.ac.uk/cmp Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
Tom Parker Project Manager Identity Management Team IT Security Group.

Tom Parker Project Manager Identity Management Team IT Security Group.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
1 Pertemuan 04 Pengamanan Akses Sistem Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 04 Pengamanan Akses Sistem Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
NS-H0503-02/11041 System Security. NS-H0503-02/11042 Authentication Verifying the identity of another entity Two interesting cases (for this class): –Computer.

NS-H /11041 System Security. NS-H /11042 Authentication Verifying the identity of another entity Two interesting cases (for this class): –Computer.
1. 2 Overview of AT&T EPIC Ordering Process for SUS (Supply Order) Suppliers 1.AT&T User creates shopping cart on internal web-based portal 2.Shopping.

1. 2 Overview of AT&T EPIC Ordering Process for SUS (Supply Order) Suppliers 1.AT&T User creates shopping cart on internal web-based portal 2.Shopping.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).

MAKING GOOD PASSWORDS (AND HOW TO KEEP THEM SAFE).
Frequently Encountered Errors Idaho State Department of Education October 20, 2011.

Frequently Encountered Errors Idaho State Department of Education October 20, 2011.

Similar presentations

Ads by Google