Password cracking: a game of wits
Communications of the ACM
Communications of the ACM
Password security: a case history
Communications of the ACM
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
Firewalls and Internet Security: Repelling the Wily Hacker
Firewalls and Internet Security: Repelling the Wily Hacker
Case Study: Online Banking Security
IEEE Security and Privacy
KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Exposing private information by timing web applications
Proceedings of the 16th international conference on World Wide Web
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Brute force attack on UNIX passwords with SIMD computer
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Perfectly secure password protocols in the bounded retrieval model
TCC'06 Proceedings of the Third conference on Theory of Cryptography
Improving text passwords through persuasion
Proceedings of the 4th symposium on Usable privacy and security
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
One-Time Password Access to Any Server without Changing the Server
ISC '08 Proceedings of the 11th international conference on Information Security
Can "Something You Know" Be Saved?
ISC '08 Proceedings of the 11th international conference on Information Security
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
THE WAY I SEE IT: When security gets in the way
interactions - Catalyzing a Perfect Storm
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
The true cost of unusable password policies: password use in the wild
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
A diary study of password usage in daily life
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Proceedings of the 2011 workshop on New security paradigms workshop
SP'11 Proceedings of the 19th international conference on Security Protocols
Mercury: recovering forgotten passwords using personal devices
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Improving user authentication on mobile devices: a touchscreen graphical password
Proceedings of the 15th international conference on Human-computer interaction with mobile devices and services
Hi-index | 0.00 |
We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.