Abstract

Weak or reused passwords are guilty for many contemporary security breaches. It is critical to study both how users choose and reuse passwords, and the causes that lead users to adopt unsafe practices. Existing literature on these topics is limited as it either studies patterns but not the causes (using leaked or contributed datasets), or it studies artificial patterns and causes that may not align with the real ones (lab interviews and/or fictional servers). Our research complements the existing works by studying the semantic structure, strength and reuse of real passwords, as well as conscious and unconscious causes of unsafe practices, in a population of 50 participants. The participants took part in a carefully designed, ethical and IRB-approved lab study, where we harvested their existing online credentials, and interviewed them about their password strategies and their risk perceptions. We found that:(1) an average password is weak and used at more than four sites,(2) importantsite passwords are only 1-2 characters longer and 10 times stronger than those for non-important sites,(3) main causes of weak passwords are security fatigue and short password length,(4) 98% of users reuse their passwords with no changes and the rest make slight changes, which can be easily brute-forced,(5) 84% of users reuse passwords between important and nonimportant sites, and (6) main causes for password reuse are misconceptions about risk, and preference for memorability over security.

Metadata

publication

Information Sciences Institute, 2016

year

2016

publication date

2016

authors

Ameya Hanamsagar, Simon Woo, Christopher Kanich, Jelena Mirkovic

link

https://www.academia.edu/download/118085852/isi-tr-715.pdf

resource_link

https://www.academia.edu/download/118085852/isi-tr-715.pdf

journal

Information Sciences Institute

pages

43