DOCSLIB.ORG

Password Management Strategies for Online Accounts

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Password Management Strategies for Online Accounts Password Management Strategies for Online Accounts Shirley Gaw Edward W. Felten Department of Computer Science Center for Information Technology Policy Princeton University Wilson School of Public and International Affairs Princeton, NJ USA Department of Computer Science [email protected] Princeton University Princeton, NJ USA [email protected] ABSTRACT passwords to prevent dictionary attacks. As bad as pass- Given the widespread use of password authentication in on- words are, users will go out of the way to make it worse. If line correspondence, subscription services, and shopping, you ask them to choose a password, they'll choose a lousy there is growing concern about identity theft. When peo- one. If you force them to choose a good one, they'll write it ple reuse their passwords across multiple accounts, they in- on a Post-it and change it back to the password they changed crease their vulnerability; compromising one password can it from the last month. And they'll choose the same pass- help an attacker take over several accounts. Our study of word for multiple applications." [22] In short, poor password 49 undergraduates quanti¯es how many passwords they had practices undermine the system. and how often they reused these passwords. The majority Many projects focus on developing new technology around of users had three or fewer passwords and passwords were these poor practices without studying them. In contrast, reused twice. Furthermore, over time, password reuse rates this paper broadly looks at password practices, quantifying increased because people accumulated more accounts but password reuse and also surveying the contributing factors did not create more passwords. Users justi¯ed their habits. to this reuse. We not only consider how users justify their While they wanted to protect ¯nancial data and personal poor practices but also study what encourages them to do communication, reusing passwords made passwords easier better. We link these practices password management tools to manage. Users visualized threats from human attackers, and discuss ways current technology supports poor prac- particularly viewing those close to them as the most moti- tices. We also demonstrate users are ill-informed about vated and able attackers; however, participants did not sep- dictionary attacks from responses to a survey of what con- arate the human attackers from their potentially automated stitutes strong passwords and who could compromise pass- tools. They sometimes failed to realize that personalized words. passwords such as phone numbers can be cracked given a Our password study focuses on online accounts. Web- large enough dictionary and enough tries. We discuss how site authentication scales up a user's password management current systems support poor password practices. We also problem. For real world interactions, users can leverage present potential changes in website authentication systems physical context: they stand at an ATM, they hold a cell and password managers. phone, or they sit in front of their desktop. For online ac- counts, users are at the same machine but access many dif- ferent accounts. Second, real world interactions also have Categories and Subject Descriptors more regularity: people may use their voicemail password H.5.2 [User Interfaces]: Evaluation/methodology; K.6.5 or their building entry codes almost daily. Online inter- [Security and Protection]: Authentication actions may be more sporadic, where users visit a speci¯c site rarely. Altogether, these issues and the proliferation of website logins aggravate the password management prob- General Terms lem, particularly encouraging password reuse [2, 11]. password management, user behavior, password reuse Technical solutions for online password management can improve practice and without signi¯cantly changing user Keywords beavior. This is in contrast to alternatives for traditional authentication systems. These alternatives might rely on security, password, survey, user behavior the user having a particular device such as a cell phone or a physical token such as a smart card. When users access 1. INTRODUCTION website accounts, they already have their hands on a com- For password authentication systems, users often are the puter. We can develop systems at the application level or enemy. Schneier writes, \the problem is that the average at the browsers speci¯cally instead of at the device level. user can't and won't even try to remember complex enough A newly developed system should incorporate the needs of users, but few have studied users' work practices in this Copyright is held by the author/owner. Permission to make digital or hard domain. As Preece states, we must take this step to \ap- copies of all or part of this work for personal or classroom use is granted proach it by understanding the characteristics and capabil- without fee. ities of the users, what they are trying to achieve, how they Symposium On Usable Privacy and Security (SOUPS) 2006, July 12-14, achieve it currently, and whether they would achieve their 2006, Pittsburgh, PA, USA. goals more e®ectively if they were supported di®erently." to strengthen password management and also studied how [17] users justify subverting password policies. In this paper, we present a survey of how users manage There have been few papers that empirically quantify how passwords for online accounts. With this background on many passwords people have. Dhamija and Perrig used in- what users do, we can develop supportive technologies for terview data from 30 people to estimate that participants password management. In our study with 49 undergradu- had one to seven unique passwords for ten to ¯fty websites ates, we measure the extent of password reuse and examine [7]. Sasse et al. investigated several aspects of password users' justi¯cations of this practice. We ask about current use. They reported that the 144 employees surveyed had an management strategies and use data from failed login at- average of 16 passwords, but this was not limited to online tempts to understand where users have problems with pass- activities [21]. Two other studies have based estimations of word authentication. We also investigate users' models of people's passwords through surveys. Brown et al. surveyed attacks and attackers, which provide context to their se- college students and asked how many passwords they had. curity precautions. The large scope of this work helps us Students had an average of 8.18 password uses with 4.45 understand real users' practices along with the environment unique passwords (N = 218) [4]. Riley also used a survey and culture that leads to these practices. to focus on online accounts. Her results similarly indicated college and graduate students had an average of 8.5 accounts 2. RELATED WORK with an passwords (SD = 2.028, N = 328) [19]. In contrast to the above papers, our study collected password informa- As mentioned in the introduction, many projects try to tion based on login attempts to websites before asking users overcome poor password practices. For instance, several re- to estimate how many passwords they had; that is, rather searchers have suggested using graphical passwords, whether than asking people to just estimate how many passwords they use doodles [10], a series of random art images [7] they had, they were ¯rst asked to login to websites and then or people's faces [3], or points within an image [25]. The count how many passwords they used. premise with these systems is that images are easier for peo- ple to recognize or recall than text. Additionally, these sys- tems may a®ord selection of stronger passwords [12] than 3. OVERVIEW OF STUDY poor text passwords that are easily cracked [14, 15]. In con- We broadly studied password practices, focusing on real trast, Yan et al. and Bunnell et al. have focused on text users password reuse and the technology designs that en- passwords, looking at recall rates for di®erent methods to couraged (or discouraged) these practices. Our study was generate and associate these passwords [26, 6]. part laboratory exercise and part survey. Participants who Others have looked at tools for users to manage their pass- completed the two sessions of the study were compensated words, particularly password hashing systems. Yee discusses with $10 USD. Almost all participants were Princeton Uni- several password hashing systems, which can use a master versity undergraduates, with the exception of one graduate password on a second identi¯er (such as a website URL) to student and two people una±liated with the university. Sec- generate unique passwords across di®erent websites [27]. Of- tions 5 and 6.1 present results from the ¯rst session, where ten these tools try to add convenience by hiding their func- students completed an online questionnaire (58 participants: tions from the user. Both LPWA and PwdHash automat- 18 males, 40 females). Sections 4 and 6.2 present results ically substitute or ¯ll in passwords based on speci¯c user from the second session, where students came into the lab- input [9, 20], while Site Password [13] and a remote version oratory. Only 49 of the original participants completed the of PwdHash display the generated password for the user. second session (33 females, 16 males). Browser features such as Internet Explorer's AutoComplete and Firefox's Saved Passwords similarly automate ¯lling in passwords without displaying clear text to the user. These 4. QUANTIFYING PASSWORD REUSE functions then relieve the user's burden to memorize several How many online accounts do people have? BugMeNot.com passwords. claims to have accounts for at least 107,116 free websites Researchers have also conducted empirical studies of pass- that use password authentication [5]. While this collection word use and management. Petrie collected passwords from is huge, individual users have far fewer website accounts. 1,200 employees in the United Kingdom. The author con- Our survey asked participants to quantify how many web- cluded that people tended to pick passwords that represent site accounts they had and how many passwords they used themselves, a person's \password has to sum up the very across these accounts.
Load more

Recommended publications
  • On the Incoherencies in Web Browser Access Control Policies
    On the Incoherencies in Web Browser Access Control Policies Kapil Singh∗, Alexander Moshchuk†, Helen J. Wang† and Wenke Lee∗ ∗Georgia Institute of Technology, Atlanta, GA Email: {ksingh, wenke}@cc.gatech.edu †Microsoft Research, Redmond, WA Email: {alexmos, helenw}@microsoft.com Abstract—Web browsers’ access control policies have evolved Inconsistent principal labeling. Today’s browsers do piecemeal in an ad-hoc fashion with the introduction of new not have the same principal definition for all browser re- browser features. This has resulted in numerous incoherencies. sources (which include the Document Object Model (DOM), In this paper, we analyze three major access control flaws in today’s browsers: (1) principal labeling is different for different network, cookies, other persistent state, and display). For resources, raising problems when resources interplay, (2) run- example, for the DOM (memory) resource, a principal is time changes to principal identities are handled inconsistently, labeled by the origin defined in the same origin policy and (3) browsers mismanage resources belonging to the user (SOP) in the form of <protocol, domain, port> [4]; but principal. We show that such mishandling of principals leads for the cookie resource, a principal is labeled by <domain, to many access control incoherencies, presenting hurdles for > web developers to construct secure web applications. path . Different principal definitions for two resources are A unique contribution of this paper is to identify the com- benign as long as the two resources do not interplay with patibility cost of removing these unsafe browser features. To do each other. However, when they do, incoherencies arise. For this, we have built WebAnalyzer, a crawler-based framework example, when cookies became accessible through DOM’s for measuring real-world usage of browser features, and used “document” object, DOM’s access control policy, namely the it to study the top 100,000 popular web sites ranked by Alexa.
    [Show full text]
  • Copyrighted Material
    38363ftoc.qxd:WileyRed 1/31/08 12:22 AM Page ix Contents Acknowledgments xxiii Introduction xxv Chapter 1 Control Your Email 1 Hack 1: Empty Your Inbox (and Keep It Empty) 3 Why an Empty Inbox? 4 Set Up the Trusted Trio of Folders 4 The Archive Folder 5 The Follow Up Folder 5 The Hold Folder 6 Process Your Messages 6 Keep It Empty 7 Your First Time 7 The Catch 7 Hack 2: Decrease Your Response Time 8 Process Messages in Batches 9 The One-Minute Rule 9 Respond to Task Requests — Before the Task Is Done 9 COPYRIGHTEDDon’t Leave It in Your Inbox MATERIAL 10 Hack 3: Craft Effective Messages 10 Composing a New Message 11 Determine Your Purpose 11 Use an Informative Subject Line 11 Be Succinct 12 Put Your Messages on a Diet 12 Facilitate a Complete Response 13 ix 38363ftoc.qxd:WileyRed 1/31/08 12:22 AM Page x x Contents Make It Clear Why Everyone Got the Message 14 Don’t Forget the Attachment 14 Replying to a Message 14 Respond to Individual Points Inline 15 Task Requests 15 Lead by Example 16 Don’t Respond in Real Time 16 Get Outside the Inbox 16 Know When Not to Say a Thing 17 Hack 4: Highlight Messages Sent Directly to You 17 Microsoft Outlook: Color Me Blue 18 All Other Email Programs: Create a Not-to-Me Filter 18 Hack 5: Use Disposable Email Addresses 19 Web-Based Public Email Addresses 19 Multi-Domain Email Addresses 19 Hack 6: Master Message Search 20 Search Criteria 20 Saved Search Folders 23 Hack 7: Future-Proof Your Email Address 25 Don’ts 25 Do’s 25 Bottom Line 26 Hack 8: Consolidate Multiple Email Addresses with Gmail 27 Receive Messages
    [Show full text]
  • Practical Web Privacy with Firefox
    Practical Web Privacy with Firefox Chuck Willis [email protected] Live-OWASP DC 2007 September 6, 2007 About Me Principal Consultant with MANDIANT in Alexandria, VA • Full spectrum information security company: Professional Services Government Services Education Software • Services include Application Security, Network Security, Incident Response, and Computer Forensics • Offices in Alexandria, VA, NYC, and other locations Member of OWASP-DC / Maryland Chapter See more on my web site www.securityfoundry.com 1 Privacy on the Web Web sites use a variety of techniques to gather data on users These techniques can be thwarted with the proper configuration of your web browser This presentation will describe information gathering techniques and ways to prevent them using the Firefox web browser Emphasis will be on techniques with minimal impact on the web surfing experience 2 Agenda Cookies Scripts and other Active Content Referer Header Google IP Address Tracking and Geolocation History and Cache Snooping Site Registrations Privacy at a Public Hotspot 3 Cookies Third Party Cookies Issue: When visiting a web site that imports content from another site, the third party site can set and receive cookies to track users Solution: • Disable third party cookies • This is set by changing Network.cookie. cookieBehavior to 1 in about:config • Only the site appearing in the URL will be sent cookies • This is the same setting that used to appear in the UI for Firefox 1.5 and below as allowing cookies "for the originating site
    [Show full text]
  • The Smart Girl's Guide to Privacy
    SHELVE IN: COMPUTERS/GENERAL The whirlwind of social media, online dating, and mobile apps can guide to privACY THE SMART GIRL’s make life a dream—or a nightmare. For every trustworthy website, violet blue there are countless jerks, bullies, and scam artists who want to harvest your personal information for their own purposes. But you can fight back, right now. In The Smart Girl’s Guide to Privacy, award-winning author and investigative journalist Violet Blue shows you how women are targeted online and how to keep yourself safe. Blue’s practical, user-friendly advice will teach you how to: • Delete personal content from websites • Use website and browser privacy controls effectively • Recover from and prevent identity theft • Figure out where the law protects you—and where it doesn’t • Set up safe online profiles • Remove yourself from people-finder websites Even if your privacy has already been compromised, don’t panic. It’s not too late to take control. Let The Smart Girl’s Guide to VIOLET BLUE help you cut through the confusion and start protecting your the smart Privacy online life. Violet Blue is an investigative tech reporter for ZDNet, CNET, Engadget, and CBS News, girl’s guide and an award-winning sex writer and columnist. She is also a member of the Internet Press Guild and an advisor for Without My Consent. She currently maintains a sexuality blog at tinynibbles.com and can be found on Twitter, @violetblue. to privacy $17.95 ($20.95 CDN) practical tips for staying safe online www.nostarch.com THE FINEST IN GEEK ENTERTAINMENT ™ the smart girl’s guide to privacy the smart girl’s guide to privacy practical tips for staying safe online violet blue The Smart Girl’s Guide to Privacy.
    [Show full text]
  • Low Tech Hacking: Street Smarts for Security Professionalsen
    Low Tech Hacking Street Smarts for Security Professionals Jack Wiles Dr. Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther Neil Wyler, Technical Editor AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Development Editor: Mstt Cater Project Manager: Paul Gottehrer Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA # 2012 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information
    [Show full text]
  • Hacking Firefox : More Than 150 Hacks, Mods, and Customizations
    01_596500 ffirs.qxd 6/30/05 2:34 PM Page iii Hacking Firefox™ More Than 150 Hacks, Mods, and Customizations Mel Reyes 01_596500 ffirs.qxd 6/30/05 2:34 PM Page ii 01_596500 ffirs.qxd 6/30/05 2:34 PM Page i Hacking Firefox™ 01_596500 ffirs.qxd 6/30/05 2:34 PM Page ii 01_596500 ffirs.qxd 6/30/05 2:34 PM Page iii Hacking Firefox™ More Than 150 Hacks, Mods, and Customizations Mel Reyes 01_596500 ffirs.qxd 6/30/05 2:34 PM Page iv Hacking Firefox™: More Than 150 Hacks, Mods, and Customizations Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2005 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN-13: 978-0-7645-9650-6 ISBN-10: 0-7645-9650-0 Manufactured in the United States of America 10987654321 1B/SR/QX/QV/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
    [Show full text]
  • Pro Blogger's Black Book
    Pro Blogger’s Black Book This compilation was created about a year ago, and I simply never got around to releasing it. It is possible that some of the listings in this document have expired in the last year, but it is still a pretty useful directory. - David Risley Advertising! 4 Article Directories! 9 Blog Tools! 11 Call Centers! 14 Collaboration / Conferencing! 14 Content – Multimedia! 19 Content Written! 20 Customer Relationship Management! 23 Customer Service! 27 E – Commerce! 28 Email Marketing! 30 Facebook Applications! 32 Finance! 32 Free Classifieds! 35 Fulfilment Resource! 37 Fun! 37 Government! 38 Graphic Design! 39 Blog Marketing Academy - Page 1 Hosting/Domains! 44 Idea Management! 48 IP Address! 49 iPhone Applications! 49 Latest Resources! 50 Marketing Blogs! 52 Marketing Resources! 54 Media Buys! 61 Membership Sites! 64 Multimedia Tools & Apps! 64 Music! 66 News! 67 Online Apps! 68 Outsourcing! 72 Printing! 75 Productivity Tools and Resources! 76 Products To Sell! 81 Project Management! 85 Public Domain! 89 Public Relations! 90 Research Keyword! 93 Research Niche! 95 Blog Marketing Academy - Page 2 Search Resources! 97 SEO Resources! 100 Shopping! 106 Software! 111 Stock Images! 115 Testing and Tracking! 117 Travel! 121 URL Shortener! 125 Video Sites! 126 Video Tools! 130 Web Design and Development! 131 Work Resources! 137 Blog Marketing Academy - Page 3 Advertising Adap.tv – http://adap.tv Offers the OneSource online video ad management platform that provides a complete, end-to-end solution to increase advertising revenue and grow streams. AdEngage - http://adengage.com AdEngage allows webmasters to earn money selling ad space and allows advertisers to easily place ads on hundreds of websites.
    [Show full text]
  • An Intensive Analysis of Security and Privacy Browser Add-Ons
    An intensive analysis of security and privacy browser add-ons Nikolaos Tsalis1, Alexios Mylonas2, Dimitris Gritzalis1 1 Information Security & Critical Infrastructure Protection (INFOSEC) Laboratory Dept. of Informatics, Athens University of Economics & Business 76 Patission Ave., Athens, GR-10434, Greece 2 Faculty of Computing, Engineering and Sciences, Staffordshire University Beaconside, Stafford, ST18 0AD, United Kingdom {ntsalis, dgrit}@aueb.gr, [email protected] Abstract. Browsers enable the user to surf over the Internet and access web sites that may include social media, email service, etc. However, such an activity in- corporates various web threats (e.g. tracking, malicious content, etc.) that may imperil the user’s data and any sensitive information involved. Therefore, web browsers offer pre-installed security controls to protect users from these threats. Third-party browser software (i.e. add-ons) is also available that enhances these pre-installed security controls, or substitutes them. In this paper, we examine the available security controls that exist in modern browsers to reveal any gaps in the offered security protection. We also study the available security and privacy add- ons and observe whether the above mentioned gaps (i.e. when a security control is unavailable) are covered or need to be revisited. Keywords: Web browser security, privacy, add-ons, user protection, malware, phishing, controls 1 Introduction Web browsing activities (e.g. e-commerce, online banking, social media, etc.) are ac- companied by web threats that pose a direct risk towards the user, such as phishing attacks, malicious software, tracking sensitive information etc. [1]. When a user selects one of the popular web browsers (i.e.
    [Show full text]
  • Exposing Security and Privacy Liabilities in Modern Browsers
    Exposing security and privacy liabilities in modern browsers Nikolaos Tsalis March 2017 Exposing security and privacy liabilities in modern browsers Nikolaos Tsalis A dissertation submitted for the partial fulfillment of a Ph.D. degree March 2017 ii Supervising Committee: 1. Dimitris Gritzalis, Professor, Athens University of Economics & Business (Chair) 2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business 3. Ioannis Marias, Assistant Professor, Athens University of Economics & Business Examination Committee: 1. Dimitris Gritzalis, Professor, Athens University of Economics & Business 2. Theodoros Apostolopoulos, Professor, Athens University of Economics & Business 3. Ioannis Marias, Associate Professor, Athens University of Economics & Business 4. Vasileios Katos, Professor, Bournemouth University, United Kingdom 5. Ioannis Stamatiou, Associate Professor, University of Patra 6. Panos Kotzanikolaou, Assistant Professor, University of Piraeus 7. Alexios Mylonas, Lecturer, Bournemouth University, United Kingdom iii Exposing security and privacy liabilities in modern browsers Copyright © 2017 by Nikolaos Tsalis Department of Informatics Athens University of Economics and Business 76 Patission Ave., Athens GR-10434, Greece All rights reserved. No part of this manuscript may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. iv "Η έγκριση διδακτορικής διατριβής υπό του Τμήματος Πληροφορικής του Οικονομικού Πανεπιστημίου Αθηνών δεν υποδηλοί αποδοχή των γνωμών του συγγραφέως.” (Ν. 5343/ 1932, άρθρο. 202) v Acknowledgements First and foremost, I would like to thank my Ph.D. supervisor Prof. Dimitris Gritzalis. We met back in 2008, while I was on my second year of undergraduate studies. I had selected Information Systems Security as an optional module without too much thought, as I was certain from the beginning that this was the field I would like to excel and purchase a career in.
    [Show full text]
  • Instructables.Com
    Home Sign Up! Explore Community Submit All Art Craft Food Games Green Home Kids Life Music Offbeat Outdoors Pets Photo Ride Science Tech How To Make Firefox The Most Useful Web Browser There Is by heyzuphowsitgoin on March 5, 2008 Table of Contents License: General Public License (gpl) . 2 Intro: How To Make Firefox The Most Useful Web Browser There Is . 2 step 1: Getting Firefox . 2 step 2: Speed 'er Up! . 3 step 3: Still Movin' Fast! . 3 step 4: MORE MEMORY . 3 step 5: Adding The Themes . 3 step 6: Adding Addons . 4 step 7: Adding Search Engines . 4 step 8: Done . 4 Related Instructables . 4 Advertisements . 5 Comments . 5 http://www.instructables.com/id/How-To-Make-Firefox-The-Most-Useful-Web-Browser-Th/ License: General Public License (gpl) Intro: How To Make Firefox The Most Useful Web Browser There Is If you are already not convinced that firefox is better than everything out there, here are a few tips and tweaks that will make you want to switch. If you are using firefox, maybe you still didn't know about these. step 1: Getting Firefox Just download and install firefox... Works with just about every operating system there is... But don't get the beta, there aren't as many themes and plugins for those http://www.mozilla.com/en-US/firefox/ http://www.instructables.com/id/How-To-Make-Firefox-The-Most-Useful-Web-Browser-Th/ step 2: Speed 'er Up! Do this if you have high speed internet, it won't work as well if you are using dial-up.
    [Show full text]
  • Technical and Market Failures in Human Authentication on the Web
    The password thicket: technical and market failures in human authentication on the web Joseph Bonneau Sören Preibusch Computer Laboratory Computer Laboratory University of Cambridge University of Cambridge [email protected] [email protected] Abstract We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in im- plementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of imple- mentation quality exists with a general co-occurrence of more-secure and less-secure implementa- tion choices, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established ten- dency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password se- curity.
    [Show full text]