The Password Doesnt Fall Far: How Service Influences Password Choice - - PowerPoint PPT Presentation

the password doesn t fall far how service influences
SMART_READER_LITE
LIVE PREVIEW

The Password Doesnt Fall Far: How Service Influences Password Choice - - PowerPoint PPT Presentation

Aug 21, 2023 212 likes •480 views

The Password Doesnt Fall Far: How Service Influences Password Choice Miranda Wei, The University of Chicago Maximilian Golla, Ruhr University Bochum Blase Ur, The University of Chicago Baltimore, USA | August 12, 2018

slide-1
SLIDE 1

Miranda Wei, The University of Chicago
 Maximilian Golla, Ruhr University Bochum Blase Ur, The University of Chicago

Baltimore, USA | August 12, 2018

The Password Doesn’t Fall Far: How Service Influences Password Choice

slide-2
SLIDE 2

Baltimore, USA | SOUPS WAY | August 12, 2018

esdf

https://myappletrees.com

Create a password for your MyAppleTrees account: MyAppleTreesPassword

!2

slide-3
SLIDE 3

Baltimore, USA | SOUPS WAY | August 12, 2018

esdf

https://myappletrees.com

Create a password for your MyAppleTrees account: RedDelicious

!3

slide-4
SLIDE 4

Baltimore, USA | SOUPS WAY | August 12, 2018

related work about password choice

account importance

[Ur et al., SOUPS15]

!4

composition policies

[Florêncio & Herley, WWW07]

demographic factors

[Mazurek et al., CCS13]

slide-5
SLIDE 5

Baltimore, USA | SOUPS WAY | August 12, 2018

  • ur research questions

Do users make passwords related to… 1. … the name of the service? 2. … the topic of the service?

!5

myappletrees applepie

slide-6
SLIDE 6

Baltimore, USA | August 12, 2018

methodology

!6

slide-7
SLIDE 7

Baltimore, USA | SOUPS WAY | August 12, 2018

five password leaks

!7

slide-8
SLIDE 8

Baltimore, USA | SOUPS WAY | August 12, 2018

filtered out passwords that appeared in other leaks

Top 1000 Passwords From Each of the Other Four Leaks Top 1000 Passwords From Battlefield Heroes

!8

slide-9
SLIDE 9

Baltimore, USA | SOUPS WAY | August 12, 2018

filtered out passwords that appeared in other leaks

Top 1000 Passwords From Each of the Other Four Leaks Top 1000 Passwords From Battlefield Heroes

!8

slide-10
SLIDE 10

Baltimore, USA | SOUPS WAY | August 12, 2018

filtered out passwords that appeared in other leaks

Top 1000 Passwords From Each of the Other Four Leaks Top 1000 Passwords From Battlefield Heroes

!8

slide-11
SLIDE 11

Baltimore, USA | SOUPS WAY | August 12, 2018

filtered out passwords that appeared in other leaks

Top 1000 Passwords From Each of the Other Four Leaks Top 1000 Passwords From Battlefield Heroes not service- specific service-specific

!8

slide-12
SLIDE 12

Baltimore, USA | SOUPS WAY | August 12, 2018

filtered out passwords that appeared in other leaks

Top 1000 Passwords From Each of the Other Four Leaks Brazzers last.fm LinkedIn Mate1 Top 1000 Passwords From Battlefield Heroes not service- specific service-specific

!8

slide-13
SLIDE 13

Baltimore, USA | SOUPS WAY | August 12, 2018

qualitative coding

Is the password related to…

  • … the name of the service?
  • … the topic of the service?

CODEBOOK

Step 1: Initial Criteria Step 2: Open Coding

  • average of 7 codes/service
  • coded 90% of analyzed passwords

!9

slide-14
SLIDE 14

Baltimore, USA | August 12, 2018

results

!10

slide-15
SLIDE 15

Baltimore, USA | SOUPS WAY | August 12, 2018

yes, related to name

Top ten passwords per service after filtering

!11

slide-16
SLIDE 16

Baltimore, USA | SOUPS WAY | August 12, 2018

yes, related to topic

trooper headshot iamthebest pornstar enjoyporn iloveporn networking jobsearch business

!12

slide-17
SLIDE 17

Baltimore, USA | SOUPS WAY | August 12, 2018

CODEBOOK

!13

slide-18
SLIDE 18

Baltimore, USA | SOUPS WAY | August 12, 2018

users choose passwords based on other interests

halflife warcraft3 gamecube viewsonic giants patriots wrestling bowling cadillac silverado peterbilt accord

!14

slide-19
SLIDE 19

Baltimore, USA | SOUPS WAY | August 12, 2018

users choose passwords reflecting international backgrounds

hejhej jemoeder wachtwoord panzer

  • lamide
  • peyemi

babatunde adekunle

!15

slide-20
SLIDE 20

Baltimore, USA | SOUPS WAY | August 12, 2018

users invoke religion when it comes to jobs and love

krishna jesuschrist godisgreat godislove ilovegod thankgod ingodwetrust godhelpme

!16

slide-21
SLIDE 21

Baltimore, USA | August 12, 2018

conclusions

!17

slide-22
SLIDE 22

Baltimore, USA | SOUPS WAY | August 12, 2018

need to account for site-specific keywords

  • password doesn’t fall far
  • 3-6% of passwords analyzed

were directly related to name/ topic

  • many password-guessing tools/

models support custom wordlists

!18

slide-23
SLIDE 23

Baltimore, USA | SOUPS WAY | August 12, 2018

use blacklists

  • at an absolute minimum, blacklist the service

name!

  • looking at you: Spotify, Amazon, Facebook,

Google, Hulu, Tumblr, Pinterest, Microsoft, Instagram, Twitter

  • balancing security and usability

!19

slide-24
SLIDE 24

Baltimore, USA | SOUPS WAY | August 12, 2018

improve existing tools

  • popularity-based password-composition policies

[Schechter et al., Hot Topics 10, Segreti et al., SOUPS17]

  • password-strength meters [Ur et al., CHI17]

!20

slide-25
SLIDE 25

Baltimore, USA | SOUPS WAY | August 12, 2018

The Password Doesn’t Fall Far: How Services Influence Password Choice

  • Qualitative study of leaked passwords from Battlefield Heroes,

Brazzers, last.fm, LinkedIn, and Mate1

  • Passwords were related by service name, topic, and a variety of
  • ther salient semantic topics
  • Need to account for site-specific keywords

Miranda Wei, Maximilian Golla, Blase Ur weim@uchicago.edu

!21

title image: http:/ /www.fanpop.com/clubs/autumn/images/35580383/title/apple-orchard-photo