Passwords and Authentication Research
To combat both the inherent and user-induced weaknesses of text-based passwords, administrators and organizations typically institute a series of rules – a password policy – to which users must adhere when choosing a password. There is consensus in the literature that a properly-written password policy can provide an organization with increased security. There is, however, less accord in describing just what such a well-written policy would be, or even how to determine whether a given policy is effective. Although it is easy to calculate the theoretical password space that corresponds to a particular password policy, it is difficult to determine the practical password space. Users may, for example, react to a policy rule requiring them to include numbers in passwords by overwhelmingly picking the same number, or by always using the number in the same location in their passwords. There is little published empirical research that studies the strategies used by actual users under various password policies. In addition, some password policies, while resulting in stronger passwords, may make those passwords difficult to remember or type. This may cause users to engage in a variety of behaviors that might compromise the security of passwords, such as writing them down, reusing passwords across different accounts, or sharing passwords with friends. Other undesirable side effects of particular password policies may include frequently forgotten passwords. In fact, the harm caused by users following an onerously restrictive password policy may be greater than the harm prevented by that policy. In this project, we seek to advance understanding of the factors that make creating and following appropriate password policies difficult, collect empirical data on password entropy and memorability under various password policies, and propose password policy guidelines to simultaneously maximize security and usability of passwords. We also explore the security and usability of some new types of passwords.
Faculty: Lujo Bauer, Nicolas Christin, Lorrie Cranor
Tools and demos
Blogs and magazine articles
Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements, CCS 2020, November 9-13, 2020.
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. (How) Do People Change Their Passwords After a Breach? 2020 Workshop on Technology and Consumer Protection (ConPro '20), May 21, 2020.
Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Why people (don’t) use password managers effectively. SOUPS 2019.
Hana Habib, Pardis Emami Naeini, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. User Behaviors and Attitudes Under Password Expiration Policies. Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), Baltimore, MD, pp. 13-20.
J. Colnago, S. Devlin, M. Oates, C. Swoopes, L. Bauer, L. Cranor, and N. Christin. "It's Not Actually That Horrible": Exploring Adoption of Two-Factor Authentication at a University, CHI 2018 pages 456:1--456:11, 2018.
Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. Let’s go in for a closer look: Observing passwords in their natural habitat. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’17). 2017.
Sean Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Cranor, and Michelle Mazurek. Diversify to Survive: Making Passwords Stronger with Adaptive Policies. SOUPS 2017, Santa Clara, CA, July 12-14, 2017.
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and Evaluation of a Data-Driven Password Meter. CHI 2017. [video preview] BEST PAPER AWARD
H. Habib, J. Colnago, W. Melicher, B. Ur, S. Segreti, L. Bauer, N. Christin, and L. Cranor. Password Creation in the Presence of Blacklists. USEC 2017, February 26, 2017, San Diego, CA.
Blase Ur. Supporting Password-Security Decisions with Data. PhD thesis, Societal Computing, September 2016.
W. Melicher, B. Ur, S. Segreti, S. Komanduri, L. Bauer, N. Christin, L. Cranor. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. USENIX Security, August 10-12, 2016, Austin, TX. BEST PAPER AWARD
W. Melicher, D. Kurilova, S. Segreti, P. Kalvani, R. Shay, B. Ur, L. Bauer, N. Christin, L. F. Cranor, and M. L. Mazurek. Usability and security of text passwords on mobile devices. CHI'16.
B. Ur, J. Bees, S. Segreti, L. Bauer, N. Christin, and L. F. Cranor. CHI'16. Do users' perceptions of password security match reality? CHI 2016 Honorable Mention. [video teaser, online game]
R. Shay, S. Komanduri, A. Durity, P. Huh, M. Mazurek, S. Segreti, B. Ur, L. Bauer, N. Christin, L. Cranor. Designing Password Policies for Strength and Usability. ACM Trans. Inf. Syst. Secur. 18, 4, Article 13 (May 2016), 34 pages.
S. Komanduri. Modeling the Adversary to Evaluate Password Strength with Limited Samples, PhD Thesis (COS), February 2016.
B. Ur, S. Segreti, L. Bauer, N. Christin, L. Cranor, S. Komanduri, D. Kurilova, M. Mazurek, W. Melicher and R. Shay. Measuring Real-World Accuracies and Biases in Modeling Password Guessability. USENIX Security Symposium 2015. [1-minute lightning talk video]
B. Ur, F. Noma, J. Bees, S. Segreti, R. Shay, L. Bauer, N. Christin, L Cranor. "I Added '!' At The End To Make It Secure": Observing Password Creation in the Lab. SOUPS2015.
R. Shay, L. Bauer, N. Christin, L. Cranor, A. Forget, S. Komanduri, M. Mazurek, W. Melicher, S. Segreti, and B. Ur. A Spoonful of Sugar? The Impact of Guidance and Feedback on Password-Creation Behavior. CHI 2015.
R. Shay. Creating Usable Policies for Stronger Passwords with MTurk, PhD Thesis (COS), February 2015.
Chandrasekhar Bhagavatula, Blase Ur, Kevin Iacovino, Su Mon Kywe, Lorrie Faith Cranor, Marios Savvides. Biometric Authentication on iPhone and Android: Usability, Perceptions, and Influences on Adoption. USEC 2015, February 8, 2015.
Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, and Stuart Schechter. Telepathwords: Preventing Weak Passwords by Reading Users' Minds. USENIX Security 2014. August 20-22, 2014, San Diego, CA, pp. 591-606.
Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. Can long passwords be secure and usable? In CHI 2014: Conference on Human Factors in Computing Systems, April 2014. ACM. [Video teaser]
M.L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L.F. Cranor, P.G. Kelley, R. Shay, and B. Ur. Measuring Password Guessability for an Entire University. ACM CCS 2013.
J. Blocki, S. Komanduri, A. Procaccia, and O. Sheffet. 2013. Optimizing password composition policies. In Proceedings of the fourteenth ACM conference on Electronic commerce (EC '13). ACM, New York, NY, USA, 105-122.
P.G. Kelley, S. Komanduri, M.L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin and L.F. Cranor. The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs. USEC 2013.
B. Ur, P.G. Kelley, S. Komanduri, J. Lee, M. Maass, M. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L.F. Cranor. How does your password measure up? The effect of strength meters on password creation. USENIX Security 2012.
R. Shay, P.G. Kelley, S. Komanduri, M. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin, L.F. Cranor. Correct horse battery staple: Exploring the usability of system-assigned passphrases. SOUPS 2012.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Julio Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. 2012 IEEE Symposium on Security and Privacy (Oakland) [CyLab Technical Report cmu-cylab-11-008, August 21, 2011.]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman. Of passwords and people: Measuring the effect of password-composition policies. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011. CHI 2011 Honorable Mention.
Eiji Hayashi, Jason Hong, and Nicolas Christin. Security through a Different Kind of Obscurity: Evaluating Distortion in Graphical Authentication Schemes. In CHI 2011: Conference on Human Factors in Computing Systems, May 2011.
Encountering Stronger Password Requirements: User Attitudes and Behaviors. Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin and Lorrie Faith Cranor. SOUPS 2010.
Eiji Hayashi, Nicolas Christin, Rachna Dhamija, and Adrian Perrig Use Your Illusion: Secure Authentication Usable Anywhere. In Proceedings of the Fourth Symposium on Usable Privacy and Security (SOUPS'08). Pittsburgh, PA. July 2008
C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.