PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga...
Transcript of PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga...
![Page 1: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/1.jpg)
04. Passwords
Blase Ur and Mainack Mondal
April 4th, 2018
CMSC 23210 / 33210
![Page 2: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/2.jpg)
Passwords
![Page 3: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/3.jpg)
![Page 4: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/4.jpg)
Why Passwords?
• Familiar to people
• Nothing to carry
• Difficult to coerce
• Easy to deploy, revoke, and replace
4
![Page 5: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/5.jpg)
Threats to Password Security
• Online attack against live system
5
![Page 6: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/6.jpg)
Threats to Password Security
• Online attack against live system
– Rate-limiting
6
![Page 7: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/7.jpg)
Threats to Password Security
• Online attack against live system
• Attack against password-protected file
• Offline attack against stolen database
7
![Page 8: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/8.jpg)
Anatomy of an Offline Attack
• Attacker compromises database
– hash(“Blase”) = $2a$04$iHdEgkI681VdDMc3f7edau9phRwORvhYjqWAIb7hb4B5uFJO1g4zi
• Attacker makes and hashes guesses
• Finds match try on other sites
8
![Page 9: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/9.jpg)
Problem 1: Absurd Advice
9
![Page 10: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/10.jpg)
Problem 2: Inaccurate Feedback
10
![Page 11: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/11.jpg)
Problem 3: Unhelpful Feedback
11
![Page 12: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/12.jpg)
1. Impact of password meters2. Modeling password cracking3. Password perceptions4. Neural-network-based guessing5. Building a data-driven meter
![Page 13: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/13.jpg)
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proc. USENIX Security Symposium, 2012.
Meters’ Security & Usability Impact
13
![Page 14: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/14.jpg)
Meters Are Ubiquitous
14
![Page 15: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/15.jpg)
Test Meters’ Impact
• How do meters impact password security?
• How do meters impact usability?
– Memorability
– User sentiment
– Timing
• What meter features matter?
• 2,931-participant online study
15
![Page 16: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/16.jpg)
Baseline Password Meter
16
![Page 17: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/17.jpg)
Visual Differences
17
![Page 18: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/18.jpg)
Visual Differences
18
![Page 19: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/19.jpg)
Scoring Differences
19
![Page 20: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/20.jpg)
Key Results
• Stringent meters with visual bars
increased resistance to guessing
• Visual differences did not significantly
impact resistance to guessing
• No significant impact on memorability
20
![Page 21: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/21.jpg)
Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, SarangaKomanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, Richard Shay. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. In Proc. USENIX Security Symposium, 2015.
Modeling Password Cracking
21
![Page 22: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/22.jpg)
Password-Strength Metrics
• Statistical approaches
– Traditionally: Shannon entropy
– Recently: α-guesswork
• Disadvantages for researchers
– Usually no per-password estimates
– Huge sample required
– Not real-world attacks
22
![Page 23: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/23.jpg)
Parameterized Guessability
• How many guesses a particular cracking
algorithm with particular training data
would take to guess a password
23
![Page 24: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/24.jpg)
j@mesb0nd007!
Guess # 366,163,847,194
24
![Page 25: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/25.jpg)
Guess # past cutoff
n(c$JZX!zKc^bIAX^N
25
![Page 26: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/26.jpg)
Guessability in Practice
26
![Page 27: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/27.jpg)
Guessability in Practice
27
![Page 28: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/28.jpg)
Single Cracking Approach
![Page 29: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/29.jpg)
Default Configuration
![Page 30: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/30.jpg)
Questions About Guessability
1) How does guessability used in research
compare to an attack by professionals?
2) Would substituting another cracking
approach impact research results?
![Page 31: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/31.jpg)
4 password sets 5 approaches
Approach
password
iloveyou
teamo123
…
passwordpassword
1234567812345678
!1@2#3$4%5^6&7*8
…
Pa$$w0rd
iLov3you!
1QaZ2W@x
…
pa$$word1234
12345678asDF
!q1q!q1q!q1q
…
31
![Page 32: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/32.jpg)
Key Results
• Configuration is critical
• Considering single approach insufficient
– Multiple approaches proxy for pros
• Analyses of password sets robust
– More granular analyses not robust
32
![Page 33: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/33.jpg)
Per-Password Highly Impacted
P@ssw0rd!
33
![Page 34: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/34.jpg)
Per-Password Highly Impacted
• JTR guess # 801
P@ssw0rd!
34
![Page 35: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/35.jpg)
Per-Password Highly Impacted
• JTR guess # 801
• Not guessed in 1014 PCFG guesses
P@ssw0rd!
35
![Page 36: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/36.jpg)
Per-Password Highly Impacted
• JTR guess # 801
• Not guessed in 1014 PCFG guesses
P@ssw0rd!
36
![Page 37: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/37.jpg)
Password Guessability Service
• Guessability of plaintext passwords
https://pgs.ece.cmu.edu
"Guess #", "Password"
"127188816", "Qwertyuiop!1"
"1853004462", "asdfF123#"
"2251762491", "P@ssw0rd!"
...
asdfF123#
P@ssw0rd!
Qwertyuiop!1
…
37
![Page 38: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/38.jpg)
The Art of Password Creation
Blase Ur, Saranga Komanduri, Lujo Bauer, Lorrie Faith Cranor, Nicolas Christin, Adam L. Durity, Phillip (Seyoung) Huh, Stephanos Matsumoto, Michelle L. Mazurek, Sean M. Segreti, Richard Shay, Timothy Vidas. The Art of Password Creation: Semantics,Strategies, and Strategies. Image Creative Commons by Lasya J on Flickr.
![Page 39: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/39.jpg)
Reverse-Engineering Passwords
~Cowscomehom3
“till the cows come home”
![Page 40: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/40.jpg)
Key Results
• Character substitutions both infrequent
and predictable
• Words and phrases frequently used
– Wikipedia excellent source of training data
• Composition policy detrimental for some
![Page 41: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/41.jpg)
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. In Proc. SOUPS, 2015.
Understanding Password Creation
41
![Page 42: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/42.jpg)
LEFTbrown8!
Understand Origin of Passwords
42
![Page 43: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/43.jpg)
LEFTbrown8!
Understand Origin of Passwords
43
![Page 44: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/44.jpg)
Understand Origin of Passwords
LEFTbrown8!
44
![Page 45: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/45.jpg)
Understand Origin of Passwords
LEFTbrown8!
45
![Page 46: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/46.jpg)
Key Results
• Important misconceptions
– Digits and symbols
– Keyboard patterns
– Dictionary words
• Misallocation of effort in password creation
46
![Page 47: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/47.jpg)
Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. Do users’ perceptions of password security match reality? In Proc. CHI, 2016.
Perceptions of Password Security
47
![Page 48: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/48.jpg)
Perception vs. Reality
![Page 49: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/49.jpg)
Compare actual strength
of passwords to users’
perceptions
![Page 50: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/50.jpg)
• Online study
– Compensated $5 for ~30 minutes
• 165 participants from Mechanical Turk
– Age 18+, live in United States
– Median age 33
– 49% female, 51% male
– 16% CS or related degree or job
– 4% student/professional in computer security
Measuring Perceptions
![Page 51: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/51.jpg)
1. Evaluating password pairs
Study Tasks
![Page 52: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/52.jpg)
1. Evaluating password pairs
Study Tasks
p@ssw0rd pAsswOrd
p@ssw0rd
much more
secure
pAssw0rd
much more
secure
![Page 53: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/53.jpg)
1. Evaluating password pairs
Study Tasks
p@ssw0rd pAsswOrd
Why?
p@ssw0rd
much more
secure
pAssw0rd
much more
secure
![Page 54: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/54.jpg)
• 25 common characteristics, e.g.,
– Capitalization
– Letters vs. digits vs. symbols
– Choice of words and phrases
Task 1 Hypotheses
![Page 55: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/55.jpg)
• 25 common characteristics, e.g.,
– Capitalization
– Letters vs. digits vs. symbols
– Choice of words and phrases
• Created 3 pairs per hypothesis
– Randomly chose 1 pair per participant
Task 1 Hypotheses
![Page 56: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/56.jpg)
• 25 common characteristics, e.g.,
– Capitalization
– Letters vs. digits vs. symbols
– Choice of words and phrases
• Created 3 pairs per hypothesis
– Randomly chose 1 pair per participant
– At least one password per pair from
Task 1 Hypotheses
![Page 57: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/57.jpg)
1. Evaluating password pairs
2. Rating selected passwords
Study Tasks
![Page 58: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/58.jpg)
1. Evaluating password pairs
2. Rating selected passwords
Study Tasks
Please rate the security of the following password: rolltide
Please rate the memorability of the following password: rolltide
![Page 59: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/59.jpg)
1. Evaluating password pairs
2. Rating selected passwords
3. Rating creation strategies
Study Tasks
![Page 60: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/60.jpg)
1. Evaluating password pairs
2. Rating selected passwords
3. Rating creation strategies
4. Describing attackers
– Who, why, how
Study Tasks
![Page 61: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/61.jpg)
1. Evaluating password pairs
2. Rating selected passwords
3. Rating creation strategies
4. Describing attackers
Results
![Page 62: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/62.jpg)
Evaluating Password Pairs
iloveyou88 ieatkale88
![Page 63: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/63.jpg)
Evaluating Password Pairs
iloveyou88 ieatkale88
Image Creative Commons by Jinx! (span112) on Flickr
![Page 64: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/64.jpg)
Evaluating Password Pairs
iloveyou88 ieatkale88
Image Creative Commons by Jinx! (span112) on Flickr
![Page 65: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/65.jpg)
Evaluating Password Pairs
iloveyou88 ieatkale88
4,000,000,000 ×more secure!
![Page 66: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/66.jpg)
Evaluating Password Pairs
brooklyn16 brooklynqy
![Page 67: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/67.jpg)
Evaluating Password Pairs
Image Creative Commons by Jinx! (span112) on Flickr
brooklyn16 brooklynqy
![Page 68: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/68.jpg)
Evaluating Password Pairs
Image Creative Commons by Jinx! (span112) on Flickr
brooklyn16 brooklynqy
![Page 69: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/69.jpg)
Evaluating Password Pairs
300,000 ×more secure!
brooklyn16 brooklynqy
![Page 70: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/70.jpg)
• Overstated security benefits of:
– Digits
– Character substitutions (e.g., a@)
– Keyboard patterns (e.g., 1qaz2wsx3edc)
• Did not recognize common words/phrases
Ways People Were Wrong
![Page 71: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/71.jpg)
• Capitalize letters other than the first
• Put digits and symbols in middle, not end
• Use symbols rather than digits
• Avoid:
– Common first names
– Words related to account
– Years and sequences
Many Ways People Were Right
![Page 72: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/72.jpg)
If perceptions of many
individual characteristics
are correct, then why do
people make bad
passwords?
![Page 73: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/73.jpg)
Perceptions of Attackers
Images Creative Commons by Stephen C. Webster, Jinx! (span112), and Adam Thomas on Flickr, and on Wikimedia
![Page 74: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/74.jpg)
Perception: How Many Guesses?
![Page 75: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/75.jpg)
• 2 guesses (Min)
Perception: How Many Guesses?
![Page 76: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/76.jpg)
• 2 guesses (Min)
• 100,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,
000,000 guesses (Max)
Perception: How Many Guesses?
![Page 77: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/77.jpg)
• 2 guesses (Min)
• 100,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,
000,000 guesses (Max)
• 34% ≤ 50 guesses (manual attack)
Perception: How Many Guesses?
![Page 78: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/78.jpg)
• 2 guesses (Min)
• 100,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,
000,000 guesses (Max)
• 34% ≤ 50 guesses (manual attack)
• 67% ≤ 50,000 guesses (small-scale)
Perception: How Many Guesses?
![Page 79: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/79.jpg)
• 2 guesses (Min)
• 100,000,000,000,000,000,000,000,000,
000,000,000,000,000,000,000,000,000,
000,000 guesses (Max)
• 34% ≤ 50 guesses (manual attack)
• 67% ≤ 50,000 guesses (small-scale)
• 7% ≥ 1014 guesses (large-scale)
Perception: How Many Guesses?
![Page 80: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/80.jpg)
Reality: How Many Guesses?
![Page 81: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/81.jpg)
Reality: Small-Scale Guessing
![Page 82: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/82.jpg)
Reality: Small-Scale Guessing
• Targeted guessing by someone you know
![Page 83: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/83.jpg)
Reality: Small-Scale Guessing
• Targeted guessing by someone you know
• Automated attack by a stranger
![Page 84: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/84.jpg)
Reality: Small-Scale Guessing
• Targeted guessing by someone you know
• Automated attack by a stranger
– Online: 1 – 1,000,000 guesses
![Page 85: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/85.jpg)
Reality: Large-Scale Guessing
![Page 86: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/86.jpg)
Reality: Large-Scale Guessing
• Against stolen database of passwords
![Page 87: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/87.jpg)
Reality: Large-Scale Guessing
• Against stolen database of passwords
• Against password-protected file
![Page 88: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/88.jpg)
Reality: Large-Scale Guessing
• Against stolen database of passwords
• Against password-protected file
• 1,000,000 guesses (best practices)
![Page 89: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/89.jpg)
Reality: Large-Scale Guessing
• Against stolen database of passwords
• Against password-protected file
• 1,000,000 guesses (best practices)
• 1014 or more (common reality)
![Page 90: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/90.jpg)
Small-scale
67% ≤ 50,000
Perception Reality
Small-scale…
…and large-scale
≥ 1014 guesses
![Page 91: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/91.jpg)
Conclusions
![Page 92: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/92.jpg)
• Perceptions of individual characteristics
– Often consistent with current attacks
– Some crucial differences
Conclusions
![Page 93: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/93.jpg)
• Perceptions of individual characteristics
– Often consistent with current attacks
– Some crucial differences
• Huge variance in perceptions of attackers
Conclusions
![Page 94: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/94.jpg)
• Perceptions of individual characteristics
– Often consistent with current attacks
– Some crucial differences
• Huge variance in perceptions of attackers
• Current user feedback is insufficient
Conclusions
![Page 95: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/95.jpg)
Better Password Scoring
William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In Proc. USENIX Security Symposium, 2016. 95
![Page 96: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/96.jpg)
Better Password Scoring
• Real-time feedback
• Runs entirely client-side
• Accurately models password guessability
96Image CC by Wes Breazell on the Noun Project
![Page 97: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/97.jpg)
Generating Passwords
97
![Page 98: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/98.jpg)
Generating Passwords
passw o or maybe 0 or O or ...
98
![Page 99: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/99.jpg)
Generating Passwords
Next char is:A: 3%B: 1%C: 0.6%…O: 55%…Z: 0.01%0: 20%1: ...
passw
99
![Page 100: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/100.jpg)
“”Prob: 100%
Generating Passwords
Next char is:A: 3%B: 2%C: 5%…O: 2%…Z: 0.2%0: 1%1: …END: 2%
100
![Page 101: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/101.jpg)
“”Prob: 100%
Next char is:A: 3%B: 2%C: 5%…O: 2%…Z: 0.2%0: 1%1: …END: 2%
Generating Passwords
101
![Page 102: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/102.jpg)
“C”Prob: 5%
Generating Passwords
102
![Page 103: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/103.jpg)
Next char is:A: 10%B: 1%C: 4%…O: 8%…Z: 0.02%0: 3%1: …END: 6%
“C”Prob: 5%
Generating Passwords
103
![Page 104: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/104.jpg)
Next char is:A: 10%B: 1%C: 4%…O: 8%…Z: 0.02%0: 3%1: …END: 6%
“C”Prob: 5%
Generating Passwords
104
![Page 105: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/105.jpg)
“CA”Prob: 0.5%
Next char is:A: 3%B: 10%C: 7%…O: 1%…Z: 0.03%0: 2%1: …END: 12%
Generating Passwords
105
![Page 106: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/106.jpg)
“CAB”Prob: 0.05%
Next char is:A: 3%B: 10%C: 7%…O: 1%…Z: 0.03%0: 2%1: …END: 3%
Generating Passwords
106
![Page 107: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/107.jpg)
“CAB”Prob: 0.05%
Next char is:A: 4%B: 3%C: 1%…O: 2%…Z: 0.01%0: 4%1: …END: 12%
Generating Passwords
107
![Page 108: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/108.jpg)
“CAB”Prob: 0.05%
Next char is:A: 4%B: 3%C: 1%…O: 2%…Z: 0.01%0: 4%1: …END: 12%
Generating Passwords
108
![Page 109: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/109.jpg)
“CAB”Prob: 0.006%
Generating Passwords
109
![Page 110: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/110.jpg)
CAB - 0.006%CAC - 0.0042%ADD1 - 0.002%CODE - 0.0013%...
Generating Passwords
110
![Page 111: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/111.jpg)
Design Space
• Model size: 3mb (browser) vs. 60mb (GPU)
• Transference learning
– Novel password-composition policies
• Training data
– Natural language
• (Many others)
111
![Page 112: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/112.jpg)
Method
• Test on many password sets
• Monte Carlo methods to estimate guess #
112
![Page 113: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/113.jpg)
Results
113
![Page 114: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/114.jpg)
Results
114
![Page 115: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/115.jpg)
Results
115
![Page 116: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/116.jpg)
More accurate guessing
Results
116
![Page 117: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/117.jpg)
Neural Networks Guess Better
117
![Page 118: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/118.jpg)
Neural Networks Guess Better
118
![Page 119: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/119.jpg)
Neural Networks Guess Better
119
![Page 120: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/120.jpg)
Neural Networks Guess Better
120
![Page 121: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/121.jpg)
Larger Model Not Major Advantage
121
![Page 122: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/122.jpg)
Browser Implementation
• Start with smaller model
• Quantize parameters
• Lossless compression
• Pre-compute inexact mapping of
probabilities guess #
• Cache intermediate results
• <1mb, ~ 17ms per character
122
![Page 123: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/123.jpg)
Intelligibility
123
![Page 124: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/124.jpg)
Building a Data-Driven Meter
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Development and Evaluation of a Data-Driven Password Meter. In Proc. CHI, 2017. 124
![Page 125: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/125.jpg)
We designed & tested a meter with:1) Principled strength estimates2) Data-driven feedback to users
![Page 126: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/126.jpg)
We designed & tested a meter with:1) Principled strength estimates2) Data-driven feedback to users
![Page 127: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/127.jpg)
We designed & tested a meter with:1) Principled strength estimates2) Data-driven feedback to users
![Page 128: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/128.jpg)
• 21 characteristics
• Weightings determined with regression
Provide Intelligible Explanations
Unic0rns
128
![Page 129: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/129.jpg)
We designed & tested a meter with:1) Principled strength estimates2) Data-driven feedback to users
![Page 130: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/130.jpg)
Main Screen…
130
![Page 131: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/131.jpg)
…Shows Requirements
131
![Page 132: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/132.jpg)
…Emphasizes Avoiding Reuse
132
![Page 133: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/133.jpg)
…Provides Abstract Advice
133
![Page 134: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/134.jpg)
After Requirements Are Met…
![Page 135: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/135.jpg)
…Displays Score Visually
![Page 136: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/136.jpg)
…Provides Text Feedback
![Page 137: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/137.jpg)
…Gives Detail (Password Shown)
![Page 138: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/138.jpg)
…Offers Explanations
![Page 139: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/139.jpg)
Explanations Shown in Modal
139
![Page 140: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/140.jpg)
We designed & tested a meter with:1) Principled strength estimates2) Data-driven feedback to users
![Page 141: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/141.jpg)
• 2-part online study
1) Create password; survey; recall password
(48 hours later, send automated email)
2) Recall password; survey
• 4,509 Mechanical Turk participants
– Between-subjects
– Full-factorial design along three dimensions
Evaluation
141
![Page 142: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/142.jpg)
• 8+ characters (1class8)
• 12+ characters, 3+ classes (3class12)
Dimension 1: Composition Policy
Password1234
password
142
![Page 143: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/143.jpg)
• Low 104 guesses 108 guesses
• Medium 106 guesses 1012 guesses
• High 108 guesses 1016 guesses
Dimension 2: Stringency
143
![Page 144: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/144.jpg)
• Low 104 guesses 108 guesses
• Medium 106 guesses 1012 guesses
• High 108 guesses 1016 guesses
Dimension 2: Stringency
144
![Page 145: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/145.jpg)
• Low 104 guesses 108 guesses
• Medium 106 guesses 1012 guesses
• High 108 guesses 1016 guesses
Dimension 2: Stringency
145
![Page 146: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/146.jpg)
Dimension 3: Feedback
146
![Page 147: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/147.jpg)
No Feedback
![Page 148: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/148.jpg)
Bar Only
![Page 149: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/149.jpg)
Public (Non-Sensitive) Feedback
![Page 150: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/150.jpg)
Standard Feedback
![Page 151: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/151.jpg)
Standard Feedback
![Page 152: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/152.jpg)
Standard Feedback
![Page 153: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/153.jpg)
Standard, No Suggested Improvement
![Page 154: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/154.jpg)
Standard, No Bar
![Page 155: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/155.jpg)
Measure Password Guessability
155
![Page 156: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/156.jpg)
Measure Password Guessability
156
![Page 157: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/157.jpg)
Measure Password Guessability
157
![Page 158: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/158.jpg)
Measure Password Guessability
Passwords harder to guess
158
![Page 159: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/159.jpg)
Measure Password Guessability
159
![Page 160: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/160.jpg)
Feedback More Secure Passwords
160
![Page 161: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/161.jpg)
Feedback More Secure Passwords
161
![Page 162: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/162.jpg)
Feedback More Secure Passwords
162
![Page 163: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/163.jpg)
• Feedback did not significantly impact
password memorability
• More feedback more difficult, annoying
• All features had value for some participants
Usability Results
163
![Page 164: PowerPoint Presentation - Slide 1 · 2018-04-13 · Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy](https://reader033.fdocuments.us/reader033/viewer/2022041921/5e6c1c901e97d829a22370f9/html5/thumbnails/164.jpg)
https://github.com/cupslab/password_meter
• Help us improve the meter
• Demo: https://cups.cs.cmu.edu/meter
Feedback More Secure Passwords
Blase Ur, Assistant Professor, University of Chicago