research-article

Surpass: System-initiated User-replaceable Passwords

Authors:

Hyoungshick Kim,

Konstantin Beznosov,

S. Raj RajagopalanAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 170 - 181

https://doi.org/10.1145/2810103.2813622

Published: 12 October 2015 Publication History

Abstract

System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a system-initiated password scheme called "Surpass" that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

References

[1]

Amazon Mechanical Turk. https://www.mturk.com/mturk/welcome.

[2]

R. Atkinson and R. Shiffrin. Human memory: A proposed system and its control processes. volume 2 of Psychology of Learning and Motivation. Academic Press, 1968.

[3]

S. Bhuyan. Evaluating the Usability of System-Generated and User-Generated Passwords of Approximately Minimum Equal Security. PhD thesis, Clemson University, 2011.

[4]

M. Bishop. Password management. In Compcon Spring '91. Digest of Papers, pages 167--169, Feb 1991.

[5]

J. Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[6]

J. Bonneau and S. Schechter. Towards Reliable Storage of 56-bit Secrets in Human Memory. In Proceedings of the 23rd USENIX Conference on Security Symposium, 2014.

Digital Library

[7]

M. Ciampa. A comparison of password feedback mechanisms and their impact on password entropy. Information Management & Computer Security, 21(5):344--359, 2013.

[8]

S. Fahl, M. Harbach, Y. Acar, and M. Smith. On the ecological validity of a password study. In Proceedings of the 9th Symposium on Usable Privacy and Security, 2013.

Digital Library

[9]

A. Forget, S. Chiasson, P. C. van Oorschot, and R. Biddle. Improving Text Passwords Through Persuasion. In Proceedings of the 4th Symposium on Usable Privacy and Security, 2008.

Digital Library

[10]

D. Goodin. Anatomy of a hack: How crackers ransack passwords like "qeadzcwrsfxv1331". http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/, May 2013.

[11]

hashcat. Rule-based Attack. http://hashcat.net/wiki/doku.php?id=rule_based_attack.

[12]

J. H. Huh, H. Kim, R. B. Bobba, M. N. Bashir, and K. Beznosov. On the Memorability of System-generated PINs: Can Chunking Help? In Proceedings of the 11th Symposium On Usable Privacy and Security, 2015.

[13]

M. Keith, B. Shao, and P. J. Steinbart. The usability of passphrases for authentication: An empirical field study. International Journal of Human-Computer Studies, 65:17--28, 2007.

Digital Library

[14]

Kelley, Patrick Gage and Komanduri, Saranga and Mazurek, Michelle L. and Shay, Richard and Vidas, Timothy and Bauer, Lujo and Christin, Nicolas and Cranor, Lorrie Faith and Lopez, Julio. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[15]

S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the 29th SIGCHI Conference on Human Factors in Computing Systems, 2011.

Digital Library

[16]

R. Shay, P. G. Kelley, S. Komanduri, M. L. Mazurek, B. Ur, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. Correct Horse Battery Staple: Exploring the Usability of System-assigned Passphrases. In Proceedings of the 8th Symposium on Usable Privacy and Security, 2012.

Digital Library

[17]

R. Shay, S. Komanduri, A. L. Durity, P. S. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor. Can Long Passwords Be Secure and Usable? In Proceedings of the 33rd SIGCHI Conference on Human Factors in Computing Systems, 2014.

Digital Library

[18]

R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the 6th Symposium on Usable Privacy and Security, 2010.

Digital Library

[19]

B. Ur, P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro, R. Shay, T. Vidas, L. Bauer, N. Christin, and L. F. Cranor. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. In Proceedings of the 21st USENIX Conference on Security Symposium, 2012.

Digital Library

[20]

J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: empirical results. IEEE Security and Privacy, 2(5):25--31, 2004.

Digital Library

Cited By

Sridevi MNirmala A(2024)Strong Password Checker Security and PrivacyProceedings of the 5th International Conference on Data Science, Machine Learning and Applications; Volume 210.1007/978-981-97-8043-3_169(1099-1103)Online publication date: 20-Oct-2024
https://doi.org/10.1007/978-981-97-8043-3_169
Mukherjee AMurali KJha SGanguly NChatterjee RMondal M(2023)MASCARA : Systematically Generating Memorable And Secure PassphrasesProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582839(524-538)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582839
Singh AJain MGoyal S(2022)A 3-Lock based Password Hashing Algorithm2022 IEEE Conference on Interdisciplinary Approaches in Technology and Management for Social Innovation (IATMSI)10.1109/IATMSI56455.2022.10119411(1-6)Online publication date: 21-Dec-2022
https://doi.org/10.1109/IATMSI56455.2022.10119411
Show More Cited By

Index Terms

Surpass: System-initiated User-replaceable Passwords
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Of passwords and people: measuring the effect of password-composition policies
CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., ...
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Optiwords: A new password policy for creating memorable and strong passwords
Abstract
User-generated textual passwords suffer from the conflict between security and usability. System administrators usually adopt password composition policies to help users choose strong passwords. However, users often use predictable patterns to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
904
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Sridevi MNirmala A(2024)Strong Password Checker Security and PrivacyProceedings of the 5th International Conference on Data Science, Machine Learning and Applications; Volume 210.1007/978-981-97-8043-3_169(1099-1103)Online publication date: 20-Oct-2024
https://doi.org/10.1007/978-981-97-8043-3_169
Mukherjee AMurali KJha SGanguly NChatterjee RMondal M(2023)MASCARA : Systematically Generating Memorable And Secure PassphrasesProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582839(524-538)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582839
Singh AJain MGoyal S(2022)A 3-Lock based Password Hashing Algorithm2022 IEEE Conference on Interdisciplinary Approaches in Technology and Management for Social Innovation (IATMSI)10.1109/IATMSI56455.2022.10119411(1-6)Online publication date: 21-Dec-2022
https://doi.org/10.1109/IATMSI56455.2022.10119411
Doolani JWright MSetty RHaque SKitamura YQuigley AIsbister KIgarashi TBjørn PDrucker S(2021)LociMotion: Towards Learning a Strong Authentication Secret in a Single SessionProceedings of the 2021 CHI Conference on Human Factors in Computing Systems10.1145/3411764.3445105(1-13)Online publication date: 6-May-2021
https://dl.acm.org/doi/10.1145/3411764.3445105
Choi JCho JKim HHyun S(2020)Towards Secure and Usable Certificate-Based Authentication System Using a Secondary Device for an Industrial Internet of ThingsApplied Sciences10.3390/app1006196210:6(1962)Online publication date: 13-Mar-2020
https://doi.org/10.3390/app10061962
Kariryaa ASchöning J(2020)MoiPrivacy: Design and Evaluation of a Personal Password MeterProceedings of the 19th International Conference on Mobile and Ubiquitous Multimedia10.1145/3428361.3428397(201-211)Online publication date: 22-Nov-2020
https://dl.acm.org/doi/10.1145/3428361.3428397
Li YChen ZWang HSun KJajodia S(2020)Understanding Account Recovery in the Wild and Its Security ImplicationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2020.2975789(1-1)Online publication date: 2020
https://doi.org/10.1109/TDSC.2020.2975789
Chen CChang TLai G(2020)The Empirical Study of Passwords Analysis in Access Point with Specific-Rules and Graphic Process Units2020 15th Asia Joint Conference on Information Security (AsiaJCIS)10.1109/AsiaJCIS50894.2020.00029(115-120)Online publication date: Aug-2020
https://doi.org/10.1109/AsiaJCIS50894.2020.00029
Woo SArtstein RKaiser ELe XMirkovic J(2019)Using Episodic Memory for User AuthenticationACM Transactions on Privacy and Security10.1145/330899222:2(1-34)Online publication date: 2-Apr-2019
https://dl.acm.org/doi/10.1145/3308992
Zeng XXu GZheng XXiang YZhou W(2019)E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoTIEEE Internet of Things Journal10.1109/JIOT.2018.28474476:2(1506-1519)Online publication date: Apr-2019
https://doi.org/10.1109/JIOT.2018.2847447
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents