? ? 2016 2010 This talk What it is about Password Composition - - PowerPoint PPT Presentation

2016 2010 this talk what it is about password composition
SMART_READER_LITE
LIVE PREVIEW

? ? 2016 2010 This talk What it is about Password Composition - - PowerPoint PPT Presentation

Mar 08, 2023 344 likes •637 views

A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016 Peter Mayer, Jan Kirchner, Melanie Volkamer ? ? 2016 2010 This talk What it is about Password Composition Policies (PCP) Replication of

slide-1
SLIDE 1

A Second Look at Password Composition Policies in the Wild: Comparing Samples from 2010 and 2016

Peter Mayer, Jan Kirchner, Melanie Volkamer

? ?

2010 2016

slide-2
SLIDE 2

What it is about §Password Composition Policies (PCP) §Replication of study by Florêncio & Herley (SOUPS‘10) Outline

  • 1. Description of original study
  • 2. Description of our replication study
  • 3. Conclusions

This talk

| Peter Mayer | SOUPS 2017 | 13.07.2017 2

slide-3
SLIDE 3

Motivation §Unknown what influences PCP strength Goal §Identify website features’ influence on PCP strength

Original study – Overview

| Peter Mayer | SOUPS 2017 | 13.07.2017 3

slide-4
SLIDE 4

Website feature Hypothesized effect Actual effect on PCP strength Observation and evidence ↑

?

Size of the service User name public Value of the resources protected Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted ↓ Site advertises User has choice

Original study – Method Investigated Features

| Peter Mayer | SOUPS 2017 | 13.07.2017 4

slide-5
SLIDE 5

Website feature Hypothesized effect Actual effect on PCP strength Observation and evidence ↑

?

Size of the service User name public Value of the resources protected Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted ↓ Site advertises User has choice

Original study – Method Investigated Features

| Peter Mayer | SOUPS 2017 | 13.07.2017 5

slide-6
SLIDE 6

Website feature Hypothesized effect Actual effect on PCP strength Observation and evidence ↑

?

Size of the service User name public Value of the resources protected Extractable value of the resources protected Who lives with the consequences of a breach Advertising accepted ↓ Site advertises User has choice

Original study – Method Investigated Features

| Peter Mayer | SOUPS 2017 | 13.07.2017 6

slide-7
SLIDE 7

§Quantcast traffic rank

§ Top (rank 1 – 20) § High (rank 101 - 110) § Medium (rank 1001 - 1010)

§Website type

§ Largest Banks § Biggest Universities § Top computer science departments § Government

Original study – Method Website Sampling

| Peter Mayer | SOUPS 2017 | 13.07.2017 7

slide-8
SLIDE 8

§Searched websites for policy §Created account whenever possible §If no PCP could be found: Internet search §First PCP found used in study

Original study – Method Identification of PCPs

| Peter Mayer | SOUPS 2017 | 13.07.2017 8

slide-9
SLIDE 9

Measuring PCP strength 𝑂"#$ ∗ 𝑚𝑝𝑕) 𝐷"#$ (𝑂"#$: minimum length, 𝐷"#$: minimum character set) Evaluation of website features §Some based on analyses §Some based on argumentation

Original study – Method Determining strength and features

| Peter Mayer | SOUPS 2017 | 13.07.2017 9

slide-10
SLIDE 10

Website feature Hypothesised effect Actual effect on PCP strength Observation and evidence ↑

  • Size of the service
  • User name public
  • Value of the resources protected
  • Extractable value of the resources protected
  • Who lives with the consequences of a breach
  • Advertising accepted

↓ ↓ Site advertises ↓ User has choice ↓

Original study – Results

| Peter Mayer | SOUPS 2017 | 13.07.2017 10

slide-11
SLIDE 11

Across country borders: à

Motivation §Several years since original study §Only websites from the USA Goal §Replication of study

Replication study – Overview

| Peter Mayer | SOUPS 2017 | 13.07.2017 11

Website feature Hypothesized effect Actual effect on PCP strength USA 2010 USA 2016 Germany 2016

Over time:

à

2010 2016

slide-12
SLIDE 12

§USA 2010 (original sample) §USA 2016

§Same websites as USA 2010 sample (minus 5 websites) §Updated PCP strength values

§Germany 2016

§Sampled from the same categories §German traffic ranks, banks, universities

Replication study – Method Website sampling

| Peter Mayer | SOUPS 2017 | 13.07.2017 12

slide-13
SLIDE 13

§Use of Alexa ranks instead of Quantcast ranks §Manual check whether websites accept advertising

Replication study – Method Deviations

| Peter Mayer | SOUPS 2017 | 13.07.2017 13

slide-14
SLIDE 14

Over time:

à RQ1: Has the average PCP strength in the USA sample changed since the original study? RQ2: Do the effects of the website features on the PCP strength from the original study still apply to the USA 2016 sample?

Across countries:

à RQ3: How do the German and USA samples compare in terms of PCP strength? RQ4: Do the effects of the website features on the PCP strength from the original study translate to the German sample?

Replication study – Research Questions

| Peter Mayer | SOUPS 2017 | 13.07.2017 14

2010 2016

slide-15
SLIDE 15

Replication study – Results RQ1: Strength over time

| Peter Mayer | SOUPS 2017 | 13.07.2017 15

10 20 30 40 50 60 70 80 10 20 30 40 50 60 70 80 Minimum Password Strength 2010 (bits) Minimum Password Strength 2016 (bits)

Category USA 2010 USA 2016 Traffic Top traffic 19.9 26.6 High traffic 19.9 41.5 Medium traffic 36.2 46.5 Website type Bank 31.0 35.7 Education 41.7 47.6 Government 47.6 52.7 Others 19.9 29.9 Overall 35.7 41.4

slide-16
SLIDE 16

Replication study – Results RQ1: Strength over time

| Peter Mayer | SOUPS 2017 | 13.07.2017 16

10 20 30 40 50 60 70 80 10 20 30 40 50 60 70 80 Minimum Password Strength 2010 (bits) Minimum Password Strength 2016 (bits)

Category USA 2010 USA 2016 Traffic Top traffic 19.9 26.6 High traffic 19.9 41.5 Medium traffic 36.2 46.5 Website type Bank 31.0 35.7 Education 41.7 47.6 Government 47.6 52.7 Others 19.9 29.9 Overall 35.7 41.4

Yes, the average PCP strength has increased significantly since the original study.

slide-17
SLIDE 17

Replication study – Results RQ2: Features over time

| Peter Mayer | SOUPS 2017 | 13.07.2017 17

Website feature Hypothesised effect Actual effect on PCP strength USA 2010 USA 2016 Observation and evidence ↑

  • Size of the service
  • User name public
  • Value of the resources protected
  • Extractable value of the resources

protected

  • Who lives with the consequences of a

breach

  • Advertising accepted

↓ ↓ ↓ Site advertises ↓

  • User has choice

↓ ↓

slide-18
SLIDE 18

Replication study – Results RQ2: Features over time

| Peter Mayer | SOUPS 2017 | 13.07.2017 18

Website feature Hypothesised effect Actual effect on PCP strength USA 2010 USA 2016 Observation and evidence ↑

  • Size of the service
  • User name public
  • Value of the resources protected
  • Extractable value of the resources

protected

  • Who lives with the consequences of a

breach

  • Advertising accepted

↓ ↓ ↓ Site advertises ↓

  • User has choice

↓ ↓

Only one website feature seems to have changed.

slide-19
SLIDE 19

Category USA 2010 USA 2016 Germany 2016 Traffic Top traffic 19.9 26.6 26.6 High traffic 19.9 41.5 26.6 Medium traffic 36.2 46.5 19.9 Website type Bank 31.0 35.7 16.6 Education 41.7 47.6 30.8 Government 47.6 52.7 47.6 Others 19.9 29.9 26.6 Overall 35.7 41.4 26.6

Replication study – Results RQ3: Strength across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 19

slide-20
SLIDE 20

Category USA 2010 USA 2016 Germany 2016 Traffic Top traffic 19.9 26.6 26.6 High traffic 19.9 41.5 26.6 Medium traffic 36.2 46.5 19.9 Website type Bank 31.0 35.7 16.6 Education 41.7 47.6 30.8 Government 47.6 52.7 47.6 Others 19.9 29.9 26.6 Overall 35.7 41.4 26.6

Replication study – Results RQ3: Strength across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 20

slide-21
SLIDE 21

Replication study – Results RQ3: Strength across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 21

~2x

slide-22
SLIDE 22

Replication study – Results RQ3: Strength across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 22

~2x The German sample has generally weaker PCPs than the USA 2016 sample - in some instances even weaker than in the USA 2010 sample.

slide-23
SLIDE 23

Replication study – Results RQ4: Features across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 23

Website feature Hyp. effect Actual effect on PCP strength USA 2010 USA 2016 Germany 2016 Observation and evidence ↑

  • Size of the service
  • User name public
  • Value of the resources protected
  • Extractable value of the resources protected
  • Who lives with the consequences of a breach
  • Advertising accepted

↓ ↓ ↓

  • Site advertises

  • User has choice

↓ ↓ ↓

slide-24
SLIDE 24

Replication study – Results RQ4: Features across countries

| Peter Mayer | SOUPS 2017 | 13.07.2017 24

Website feature Hyp. effect Actual effect on PCP strength USA 2010 USA 2016 Germany 2016 Observation and evidence ↑

  • Size of the service
  • User name public
  • Value of the resources protected
  • Extractable value of the resources protected
  • Who lives with the consequences of a breach
  • Advertising accepted

↓ ↓ ↓

  • Site advertises

  • User has choice

↓ ↓ ↓

Only one feature translates to the German sample.

slide-25
SLIDE 25

RQ1 & RQ2 - Over time: à

§PCP strength in the USA has risen §Not all features translate over time §No effect of features hyp. to increase PCP strength ➜ Open questions

§ Which features actually increase PCP strength?

Conclusions

| Peter Mayer | SOUPS 2017 | 13.07.2017 25

2010 2016

slide-26
SLIDE 26

RQ3 & RQ4 - Across countries: à

§PCPs in the German sample are generally weaker §In particular German banks stand out

§ On average weak PCPs, some very restrictive e.g.

§ Exactly 6-digit PINs § Exactly 5 characters, must have letter and numbers, no symbols allowed

§ Tight lock out policies (3 strikes) § Mandated usage of two factor authorisation (of transactions)

➜ Open questions

§ Do users find this trade-off appropriate in the banking context? § Would they like to make this trade-off elsewhere?

Conclusions

| Peter Mayer | SOUPS 2017 | 13.07.2017 26

slide-27
SLIDE 27

Questions?

| Peter Mayer | SOUPS 2017 | 13.07.2017 27

Over time

  • Rise in PCP strength
  • One feature has lost effect
  • Others remain unchanged

Across Countries

  • PCPs in German sample

weaker

  • German banking websites

stand out

2010 2016

Website feature Hypothesised effect Actual effect on PCP strength USA 2010 USA 2016 Germany 2016 Advertising accepted ↓ ↓ ↓

  • Site advertises

  • User has choice

↓ ↓ ↓

Limitations

  • Strength measure is rough
  • Only investigated website

features not technologies

  • n user side
  • Some analyses use

approximations

  • Same websites in USA

sample for 2010 and 2016

slide-28
SLIDE 28

KMU AWARE

| Peter Mayer | SOUPS 2017 | 13.07.2017 28

§Part of the initiative „IT-Sicherheit in der Wirtschaft“

www.it-sicherheit-in-der-wirtschaft.de

§Goal: Development of IS awareness and education materials for inclusion in web-based training platform

slide-29
SLIDE 29

All icons from https://thenounproject.com/ and licensed under a Creative Commons Attribution 3.0 United States License or in the public domain. Artists: Iconika, logan

Icons

| Peter Mayer | SOUPS 2017 | 13.07.2017 29