The Password Doesn’t Fall Far: How Service Influences Password Choice Miranda Wei, The University of Chicago Maximilian Golla, Ruhr University Bochum Blase Ur, The University of Chicago Baltimore, USA | August 12, 2018
https://myappletrees.com esdf Create a password for your MyAppleTrees account: MyAppleTreesPassword ! 2 Baltimore, USA | SOUPS WAY | August 12, 2018
https://myappletrees.com esdf Create a password for your MyAppleTrees account: RedDelicious ! 3 Baltimore, USA | SOUPS WAY | August 12, 2018
related work about password choice demographic factors account importance composition policies [Mazurek et al., CCS13] [Ur et al., SOUPS15] [Florêncio & Herley, WWW07] ! 4 Baltimore, USA | SOUPS WAY | August 12, 2018
our research questions Do users make passwords related to… 1. … the name of the service? myappletrees 2. … the topic of the service? applepie ! 5 Baltimore, USA | SOUPS WAY | August 12, 2018
methodology ! 6 Baltimore, USA | August 12, 2018
five password leaks ! 7 Baltimore, USA | SOUPS WAY | August 12, 2018
filtered out passwords that appeared in other leaks Top 1000 Passwords Top 1000 Passwords From From Each of the Battlefield Heroes Other Four Leaks ! 8 Baltimore, USA | SOUPS WAY | August 12, 2018
filtered out passwords that appeared in other leaks Top 1000 Passwords Top 1000 Passwords From From Each of the Battlefield Heroes Other Four Leaks ! 8 Baltimore, USA | SOUPS WAY | August 12, 2018
filtered out passwords that appeared in other leaks Top 1000 Passwords Top 1000 Passwords From From Each of the Battlefield Heroes Other Four Leaks ! 8 Baltimore, USA | SOUPS WAY | August 12, 2018
filtered out passwords that appeared in other leaks Top 1000 Passwords Top 1000 Passwords From From Each of the Battlefield Heroes Other Four Leaks not service- specific service-specific ! 8 Baltimore, USA | SOUPS WAY | August 12, 2018
filtered out passwords that appeared in other leaks Top 1000 Passwords Top 1000 Passwords From From Each of the Battlefield Heroes Other Four Leaks Brazzers last.fm LinkedIn Mate1 not service- specific service-specific ! 8 Baltimore, USA | SOUPS WAY | August 12, 2018
qualitative coding Step 1: Initial Criteria Step 2: Open Coding Is the password related to… CODEBOOK • … the name of the service? • average of 7 codes/service • … the topic of the service? • coded 90% of analyzed passwords ! 9 Baltimore, USA | SOUPS WAY | August 12, 2018
results ! 10 Baltimore, USA | August 12, 2018
yes, related to name Top ten passwords per service after filtering ! 11 Baltimore, USA | SOUPS WAY | August 12, 2018
yes, related to topic trooper pornstar networking headshot enjoyporn jobsearch iamthebest iloveporn business ! 12 Baltimore, USA | SOUPS WAY | August 12, 2018
CODEBOOK ! 13 Baltimore, USA | SOUPS WAY | August 12, 2018
users choose passwords based on other interests giants cadillac halflife patriots silverado warcraft3 wrestling peterbilt gamecube bowling accord viewsonic ! 14 Baltimore, USA | SOUPS WAY | August 12, 2018
users choose passwords reflecting international backgrounds hejhej olamide jemoeder opeyemi wachtwoord babatunde panzer adekunle ! 15 Baltimore, USA | SOUPS WAY | August 12, 2018
users invoke religion when it comes to jobs and love krishna ilovegod jesuschrist thankgod godisgreat ingodwetrust godislove godhelpme ! 16 Baltimore, USA | SOUPS WAY | August 12, 2018
conclusions ! 17 Baltimore, USA | August 12, 2018
need to account for site-specific keywords • password doesn’t fall far - 3-6% of passwords analyzed were directly related to name/ topic • many password-guessing tools/ models support custom wordlists ! 18 Baltimore, USA | SOUPS WAY | August 12, 2018
use blacklists • at an absolute minimum, blacklist the service name! - looking at you: Spotify, Amazon, Facebook, Google, Hulu, Tumblr, Pinterest, Microsoft, Instagram, Twitter • balancing security and usability ! 19 Baltimore, USA | SOUPS WAY | August 12, 2018
improve existing tools • popularity-based password-composition policies [Schechter et al., Hot Topics 10, Segreti et al., SOUPS17] • password-strength meters [Ur et al., CHI17] ! 20 Baltimore, USA | SOUPS WAY | August 12, 2018
• Qualitative study of leaked passwords from Battlefield Heroes, Brazzers, last.fm, LinkedIn, and Mate1 • Passwords were related by service name, topic, and a variety of other salient semantic topics • Need to account for site-specific keywords The Password Doesn’t Fall Far: How Services Influence Password Choice Miranda Wei, Maximilian Golla, Blase Ur weim@uchicago.edu ! 21 title image: Baltimore, USA | SOUPS WAY | August 12, 2018 http:/ /www.fanpop.com/clubs/autumn/images/35580383/title/apple-orchard-photo
Recommend
More recommend