OPUS: preventing weak password choices
Computers and Security
Communications of the ACM
Password security: a case history
Communications of the ACM
A note on proactive password checking
Proceedings of the 2001 workshop on New security paradigms
Approximating Min Sum Set Cover
Algorithmica
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
IEEE Security and Privacy
Human selection of mnemonic phrase-based passwords
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
The string edit distance matching problem with moves
ACM Transactions on Algorithms (TALG)
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
A Taxonomy of Service Failures in Electronic Retailing
HICSS '08 Proceedings of the Proceedings of the 41st Annual Hawaii International Conference on System Sciences
Improving text passwords through persuasion
Proceedings of the 4th symposium on Usable privacy and security
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Multiple password interference in text passwords and click-based graphical passwords
Proceedings of the 16th ACM conference on Computer and communications security
Encountering stronger password requirements: user attitudes and behaviors
Proceedings of the Sixth Symposium on Usable Privacy and Security
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Using global knowledge of users' typing traits to attack keystroke biometrics templates
Proceedings of the thirteenth ACM multimedia workshop on Multimedia and security
An efficient user verification system via mouse movements
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 2011 workshop on New security paradigms workshop
Mercury: recovering forgotten passwords using personal devices
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Correct horse battery staple: exploring the usability of system-assigned passphrases
Proceedings of the Eighth Symposium on Usable Privacy and Security
How does your password measure up? the effect of strength meters on password creation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
The benefits of understanding passwords
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Building better passwords using probabilistic techniques
Proceedings of the 28th Annual Computer Security Applications Conference
Honeywords: making password-cracking detectable
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
SAuth: protecting user accounts from password database leaks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
On the security of picture gesture authentication
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.