Word association norms, mutual information, and lexicography
Computational Linguistics
The official PGP user's guide
Password security: a case history
Communications of the ACM
On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
Human selection of mnemonic phrase-based passwords
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
The usability of passphrases for authentication: An empirical field study
International Journal of Human-Computer Studies
The second release of the RASP system
COLING-ACL '06 Proceedings of the COLING/ACL on Interactive presentation sessions
ACSW '07 Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68
High-Speed Search System for PGP Passphrases
CANS '08 Proceedings of the 7th International Conference on Cryptology and Network Security
Passwords: If We're So Smart, Why Are We Still Using Them?
Financial Cryptography and Data Security
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Improving usability through password-corrective hashing
SPIRE'06 Proceedings of the 13th international conference on String Processing and Information Retrieval
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Effect of grammar on security of long passwords
Proceedings of the third ACM conference on Data and application security and privacy
| Hi-index | 0.00 |
We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.