An Analysis of Password Managers’ Password Checkup Tools
Article No.: 38, Pages 1 - 7
Abstract
Password managers (PMs) have been widely recommended to users to generate and store random, secure, and unique passwords across websites. Using a PM is often not enough however, especially if users store passwords that are guessable, or have been breached. To assist users in updating insecure passwords, PMs come with “checkup" features that report the strength of users’ passwords. However, there has yet to be a systematic study of the features offered as part of these checkups, and the consistency of the checkup advice across different PMs. In this paper, we conduct a preliminary analysis of 14 PMs’ password checkup features, recording how many passwords are reported weak and compromised. We find that many PMs fail to report breached credentials. Weak passwords were also under-reported by PMs. This analysis forms the basis for a larger study on the consistencies of PM checkup tools and how users perceive and use them.
Supplemental Material
MP4 File
Talk Video
- Download
- 21.73 MB
References
[1]
1Password. 2022. 1Password password quality algorithm. https://1password.community/discussion/130158/1password-password-quality-algorithm
[2]
Nora Alkaldi and Karen Renaud. 2019. Encouraging Password Manager Adoption by Meeting Adopter Self-Determination Needs. (01 2019). https://doi.org/10.24251/HICSS.2019.582
[3]
Sabrina Amft, Sandra Höltervennhoff, Nicolas Huaman, Yasemin Acar, and Sascha Fahl. 2023. “Would You Give the Same Priority to the Bank and a Game? I Do Not!” Exploring Credential Management Strategies and Obstacles during Password Manager Setup. (Aug. 2023), 171–190.
[4]
Salvatore Aurigemma, Thomas Mattson, and Lori N. K. Leonard. 2017. So Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?. In Hawaii International Conference on System Sciences. https://api.semanticscholar.org/CorpusID:11088576
[5]
Ramakrishna Ayyagari, Jaejoo Lim, and Olger Hoxha. 2019. Why Do Not We Use Password Managers? A Study on the Intention to Use Password Managers. Contemporary Management Research 15, 4 (Dec. 2019), 227–245. https://doi.org/10.7903/cmr.19394 Number: 4.
[6]
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia. 2020. (How) Do people change their passwords after a breach?http://arxiv.org/abs/2010.09853 arXiv:2010.09853 [cs].
[7]
Bitwarden. Last Accessed: 2024-01-11. Vault Health Reports | Bitwarden Help Center. https://bitwarden.com/help/reports/
[8]
Bitwarden. Last Accessed: 2024-03-12. password-strength.service.spec.ts. https://github.com/bitwarden/clients/blob/9e8f20a8731a16a06d165b4744ddeabc2ed5b84d/libs/common/src/tools/password-strength/password-strength.service.spec.ts#L10
[9]
Crossword. Last Accessed: 2024-01-11. Arc. https://www.crosswordcybersecurity.com/arc
[10]
Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The Tangled Web of Password Reuse. In Proceedings 2014 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2014.23357
[11]
Dashlane. Last Accessed: 2024-01-11. Manage the Password Health of your Starter, Team, or Business plan. https://support.dashlane.com/hc/en-us/articles/360016225300-Manage-the-Password-Health-of-your-Starter-Team-or-Business-plan
[12]
Dashlane. Last Accessed: 2024-01-17. Security alerts and Dark Web Monitoring in Dashlane. https://support.dashlane.com/hc/en-us/articles/360000038180-Security-alerts-and-Dark-Web-Monitoring-in-Dashlane
[13]
Enpass. Last Accessed: 2024-01-11. Miscellaneous — Enpass Security Whitepaper documentation. https://support.enpass.io/docs/security-whitepaper-enpass/miscellaneous.html#password-strength-estimation
[14]
Michael Fagan, Yusuf Albayram, Mohammad Maifi Hasan Khan, and Ross Buck. 2017. An investigation into users’ considerations towards using password managers. Human-centric Computing and Information Sciences 7, 1 (March 2017), 12. https://doi.org/10.1186/s13673-017-0093-6
[15]
Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web - WWW ’07. ACM Press, Banff, Alberta, Canada, 657. https://doi.org/10.1145/1242572.1242661
[16]
Yue Huang, Borke Obada-Obieh, and Konstantin Beznosov. 2022. Users’ Perceptions of Chrome’s Compromised Credential Notification. (Aug. 2022).
[17]
Sowmya Karunakaran, Kurt Thomas, Elie Bursztein, and Oxana Comanescu. 2018. Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data. (Aug. 2018).
[18]
KeePassXC. Last Accessed: 2024-01-11. How KeePassXC’s Password Health Check Feature Works – KeePassXC. https://keepassxc.org/blog/2020-08-15-keepassxc-password-healthcheck/
[19]
LastPass. Last Accessed: 2024-01-17. Dark Web Monitoring & Alerts - LastPass. https://www.lastpass.com/features/dark-web-monitoring
[20]
Yue Li, Haining Wang, and Kun Sun. 2017. Personal Information in Passwords and Its Security Implications. IEEE Transactions on Information Forensics and Security 12, 10 (Oct. 2017), 2320–2333. https://doi.org/10.1109/TIFS.2017.2705627
[21]
Kali Linux. Last Accessed: 2024-01-05. rsmangler | Kali Linux Tools. https://www.kali.org/tools/rsmangler/
[22]
Kali Linux. Last Accessed: 2024-01-05. Seclists Kali Linux Tools. https://www.kali.org/tools/seclists/
[23]
Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, and Sven Bugiel. 2018. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. (Aug. 2018).
[24]
Raymond Maclean and Jacques Ophoff. 2018. Determining Key Factors that Lead to the Adoption of Password Managers. In 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE, Plaine Magnien, 1–7. https://doi.org/10.1109/ICONIC.2018.8601223
[25]
Peter Mayer, Collins W Munyendo, Adam J Aviv, and Michelle L Mazurek. 2022. Why Users (Don’t) Use Password Managers at a Large Educational Institution. (2022).
[26]
Peter Mayer, Yixin Zou, Florian Schaub, and Adam J Aviv. 2021. “Now I’m a bit angry:” Individuals’ Awareness, Perception, and Responses to Data Breaches that Affected Them. (2021).
[27]
Microsoft. Last Accessed: 2024-01-17. Protect your online accounts using Password Monitor - Microsoft Support. https://support.microsoft.com/en-au/topic/protect-your-online-accounts-using-password-monitor-6f660aae-65aa-476c-871a-7fe2bcb0c4c1
[28]
Daniel Miessler. 2020. SecLists/Passwords/2020-200mostusedpasswords.txt at master · danielmiessler/SecLists. https://github.com/danielmiessler/SecLists/blob/master/Passwords/2020-200-most-used-passwords.txt
[29]
Collins W. Munyendo, Peter Mayer, and Adam J. Aviv. 2023. "I just stopped using one and started using the other": Motivations, Techniques, and Challenges When Switching Password Managers. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. ACM, Copenhagen Denmark, 3123–3137. https://doi.org/10.1145/3576915.3623150
[30]
Sean Oesch, Scott Ruoti, James Simmons, and Anuj Gautam. 2022. “It Basically Started Using Me:” An Observational Study of Password Manager Usage. In CHI Conference on Human Factors in Computing Systems. ACM, New Orleans LA USA, 1–23. https://doi.org/10.1145/3491102.3517534
[31]
Openwall. 2023. John the Ripper password cracker. https://www.openwall.com/john/
[32]
Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. 2017. Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, Dallas Texas USA, 295–310. https://doi.org/10.1145/3133956.3133973
[33]
Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don’t) use password managers effectively. (Aug. 2019).
[34]
Denise Ranghetti Pilar, Antonio Jaeger, Carlos F. A. Gomes, and Lilian Milnitsky Stein. 2012. Passwords Usage and Human Memory Limitations: A Survey across Age and Educational Background. PLoS ONE 7, 12 (Dec. 2012), e51067. https://doi.org/10.1371/journal.pone.0051067
[35]
Have I Been Pwned. Last Accessed: 2024-01-05. Have I Been Pwned: Pwned Passwords. https://haveibeenpwned.com/Passwords
[36]
Hirak Ray, Flynn Wolf, Ravi Kuber, and Adam J. Aviv. 2021. Why Older Adults (Don’t) Use Password Managers. (Aug. 2021), 73–90.
[37]
Elissa M. Redmiles. 2019. "Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response. http://arxiv.org/abs/1808.08177 arXiv:1808.08177 [cs].
[38]
Roboform. Last Accessed: 2024-01-11. How Secure Is My Password?https://www.roboform.com/how-secure-is-my-password
[39]
SafeInCloud. 2022. Compromised passwords. //safeincloud.ladesk.com/767071-Compromised-passwords
[40]
SafeInCloud. Last Accessed: 2024-01-11. What is the crack time for password. https://safeincloud.ladesk.com/709198-What-is-the-crack-time-for-password
[41]
Sunyoung Seiler-Hwang, Patricia Arias-Cabarcos, Andrés Marín, Florina Almenares, Daniel Díaz-Sánchez, and Christian Becker. 2019. "I don’t see why I would ever want to use it": Analyzing the Usability of Popular Smartphone Password Managers. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM, London United Kingdom, 1937–1953. https://doi.org/10.1145/3319535.3354192
[42]
Elizabeth Stobert and Robert Biddle. 2016. Expert Password Management. In Technology and Practice of Passwords, Frank Stajano, Stig F. Mjølsnes, Graeme Jenkinson, and Per Thorsheim (Eds.). Vol. 9551. Springer International Publishing, Cham, 3–20. https://doi.org/10.1007/978-3-319-29938-9-1 Series Title: Lecture Notes in Computer Science.
[43]
Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2020. Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. ACM, Virtual Event USA, 1407–1426. https://doi.org/10.1145/3372297.3417882
[44]
Kurt Thomas, Jennifer Pullman, Kevin Yeo, Ananth Raghunathan, Patrick Gage Kelley, Luca Invernizzi, Borbala Benko, Tadek Pietraszek, Sarvar Patel, Dan Boneh, and Elie Bursztein. 2019. Protecting accounts from credential stuffing with password breach alerting. (2019).
[45]
Blase Ur, Jonathan Bees, Sean M. Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Do Users’ Perceptions of Password Security Match Reality?. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM, San Jose California USA, 3748–3760. https://doi.org/10.1145/2858036.2858546
[46]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2012. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. (2012).
[47]
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I Added ‘!’ at the End to Make It Secure”: Observing Password Creation in the Lab. (July 2015).
[48]
Rafael Veras, Christopher Collins, and Julie Thorpe. 2014. On the Semantic Patterns of Passwords and their Security Impact. In Proceedings 2014 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2014.23103
[49]
Rafael Veras, Julie Thorpe, and Christopher Collins. 2012. Visualizing semantics in passwords: the role of dates. In Proceedings of the Ninth International Symposium on Visualization for Cyber Security. ACM, Seattle Washington USA, 88–95. https://doi.org/10.1145/2379690.2379702
[50]
Rick Wash and Emilee Rader. 2021. Prioritizing security over usability: Strategies for how people choose passwords. Journal of Cybersecurity 7, 1 (Feb. 2021), tyab012. https://doi.org/10.1093/cybsec/tyab012
[51]
Rick Wash, Emilee Rader, and Ruthie Berman. 2016. Understanding Password Choices: How Frequently Entered Passwords are Re-used Across Websites. (June 2016).
[52]
Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. 25th USENIX Security Symposium (2016), 157–173.
[53]
Daniel Lowe Wheeler. 2024. dropbox/zxcvbn. https://github.com/dropbox/zxcvbn original-date: 2012-02-28T03:25:54Z.
[54]
Weining Yang, Ninghui Li, Omar Chowdhury, Aiping Xiong, and Robert W. Proctor. 2016. An Empirical Study of Mnemonic Sentence-based Password Generation Strategies. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, Vienna Austria, 1216–1229. https://doi.org/10.1145/2976749.2978346
[55]
Yixin Zou, Shawn Danino, Kaiwen Sun, and Florian Schaub. 2019. You ‘Might’ Be Affected: An Empirical Analysis of Readability and Usability Issues in Data Breach Notifications. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM, Glasgow Scotland Uk, 1–14. https://doi.org/10.1145/3290605.3300424
Index Terms
- An Analysis of Password Managers’ Password Checkup Tools
Recommendations
Comments
Information & Contributors
Information
Published In
May 2024
4761 pages
ISBN:9798400703317
DOI:10.1145/3613905
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 May 2024
Check for updates
Author Tags
Qualifiers
- Work in progress
- Research
- Refereed limited
Data Availability
Funding Sources
Conference
Acceptance Rates
Overall Acceptance Rate 6,164 of 23,696 submissions, 26%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 228Total Downloads
- Downloads (Last 12 months)228
- Downloads (Last 6 weeks)74
Reflects downloads up to 15 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format