Visible to the public An Empirical Analysis on the Usability and Security of Passwords

TitleAn Empirical Analysis on the Usability and Security of Passwords
Publication TypeConference Paper
Year of Publication2020
AuthorsWalia, K. S., Shenoy, S., Cheng, Y.
Conference Name2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science (IRI)
Date Publishedaug
Keywordsauthentication, authorisation, compositionality, empirical analysis, Entropy, Guidelines, Information Reuse and Security, message authentication, NIST, password, password creation strategies, password security, password-based authentication systems, passwords, phonemes, pubcrawl, Resiliency, security, security experts, usability
AbstractSecurity and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.
Citation Keywalia_empirical_2020