telepathwords: preventing weak passwords by reading users ......by reading users’ minds . saranga...
TRANSCRIPT
![Page 1: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/1.jpg)
1
Microsoft Research
Telepathwords: preventing weak passwords by reading users’ minds
Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart Schechter
![Page 2: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/2.jpg)
2
Authentication ecosystem
![Page 3: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/3.jpg)
3
Users Adversaries
System administrators
Authentication ecosystem
![Page 4: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/4.jpg)
4
Defending users
• System administrators set password policies – Constraints on passwords
![Page 5: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/5.jpg)
5
Character requirements
• Common component of policies – Length – Uppercase, digit, symbol
![Page 6: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/6.jpg)
6
Character requirements
• Common component of policies – Length – Uppercase, digit, symbol
• Can’t prevent weak passwords: Qwerty!23456 Thisismypassword! (actual passwords from Shay et al. 2014)
![Page 7: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/7.jpg)
7
Character requirements
• Default policies often use only character requirements
• In Microsoft Active Directory (3class8) – 3 of the following: uppercase, lowercase, digit, symbol – 8 character minimum
These requirements don’t improve security, and they make passwords harder to type
![Page 8: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/8.jpg)
9
Goal
• Focus on weakest passwords – Threat model: online attack of an organization – Policies should make the weakest passwords
harder to guess
![Page 9: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/9.jpg)
10
Contributions
• Show that character requirements don’t prevent weak passwords
• Introduce Telepathwords – Detects weak passwords while providing real-time
feedback
• Show that real-time feedback coupled with prevention of common patterns works well – Significantly better security than character requirements – Not significantly different in usability (after creation)
![Page 10: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/10.jpg)
11
Telepathwords
• Real-time predictions
![Page 11: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/11.jpg)
12
Telepathwords
• Explanations show why password is guessable
![Page 12: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/12.jpg)
13
Telepathwords
• Prediction display can be turned off
![Page 13: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/13.jpg)
14
Telepathwords
• Feedback bar scores password by predictions
• Can enforce a policy by requiring a minimum number of unpredicted characters
= unpredicted = predicted
![Page 14: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/14.jpg)
15
Related work
• Character requirements haven’t changed much in 35 years since Morris and Thompson – Proposed 6-character minimum [1979] – Very little security improvement [Bonneau 2012]
![Page 15: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/15.jpg)
16
Related work
• Password meters – Meters are typically based on character requirements
[Ur et al. 2012] – No consistency across meters [de Carnevalet and
Mannan 2013]
![Page 16: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/16.jpg)
17
Related work
• Password meters – Meters are typically based on character requirements
[Ur et al. 2012] – No consistency across meters [de Carnevalet and
Mannan 2013]
• zxcvbn entropy estimator [Wheeler 2012]
Password meters don’t explain their scores
![Page 17: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/17.jpg)
19
Generating predictions
• Multiple, weighted “predictors” produce next-character guesses and likelihood scores
![Page 18: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/18.jpg)
20
Generating predictions
• Search query n-grams
![Page 19: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/19.jpg)
21
Generating predictions
• Password sets
![Page 20: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/20.jpg)
22
Generating predictions
• Common substitutions (s -> $, a -> @, etc.)
![Page 21: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/21.jpg)
23
Generating predictions
• Keyboard patterns
![Page 22: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/22.jpg)
24
Generating predictions
• Keyboard patterns
![Page 23: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/23.jpg)
25
Generating predictions
• Keyboard patterns
![Page 24: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/24.jpg)
26
Generating predictions
• Repeating patterns
![Page 25: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/25.jpg)
27
Generating predictions
• Interleaving strings
![Page 26: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/26.jpg)
28
Generating predictions
• Can cover many behaviors and easily add
• Many possible ways to implement, ours is just one example
![Page 27: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/27.jpg)
31
Evaluation
• December 2013 - deployed as a public website https://telepathwords.research.microsoft.com
• Feburary 2014 - Mechanical Turk study – CMU branded, using Javascript API
![Page 28: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/28.jpg)
32
Policies
• 6 policy conditions (2 Telepathwords)
• All conditions included some visual feedback
![Page 29: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/29.jpg)
33
Condition: basic8 Requirements
– Minimum 8 characters
![Page 30: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/30.jpg)
34
Condition: 3class8 – Minimum 8 characters – Must contain at least 3 of the following: lowercase,
uppercase, digit, symbol
![Page 31: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/31.jpg)
35
Condition: 3class8-d – Minimum 8 characters – Must contain at least 3 of the following: lowercase,
uppercase, digit, symbol – Letters in password must not be in a dictionary
![Page 32: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/32.jpg)
36
Condition: 3class12 – Minimum 12 characters – Must contain at least 3 of the following: lowercase,
uppercase, digit, symbol
![Page 33: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/33.jpg)
37
Conditions: telepath, telepath-v – Minimum 6 unpredicted characters – “Show Password” checked by default in telepath-v
![Page 34: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/34.jpg)
38
Conditions
basic8 3class8 3class12
3class8-d telepath telepath-v
Character requirements
“Dictionary” policies
![Page 35: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/35.jpg)
39
Evaluation
• N = 2,844 (started) / 2,560 (finished)
• Median age = 27 (limited to 18+)
• 60% male, 44% with Bachelor's or above
• Required 95% acceptance rate and U.S. location
![Page 36: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/36.jpg)
40
Study design
• Hypothetical email scenario for password creation
Steps: 1. Create a password under a randomly assigned
condition 2. Take a survey 3. Recall password 4. Return in two days
![Page 37: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/37.jpg)
41
Policy metrics
Security
• Weir+ guessability – Refinement of [Weir et al. 2009] – Minimum number of guesses needed for single
password, 2.5%, 5%, and 10%
• zxcvbn entropy estimate – Min-entropy; 2.5th, 5th, 10th percentiles
• Probability metrics were not viable
![Page 38: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/38.jpg)
42
Policy metrics
Usability
• Creation difficulty
• Did participants find it insightful?
• Recall difficulty
![Page 39: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/39.jpg)
43
Security results
![Page 40: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/40.jpg)
44
Security results
![Page 41: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/41.jpg)
45
Security results
![Page 42: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/42.jpg)
46
Security results
![Page 43: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/43.jpg)
47
Security results
![Page 44: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/44.jpg)
48
Security results
Stronger policies
![Page 45: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/45.jpg)
49
Security results
![Page 46: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/46.jpg)
50
Security results
![Page 47: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/47.jpg)
51
Security results
![Page 48: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/48.jpg)
52
Security results password Password1 Asdfghjkl123
![Page 49: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/49.jpg)
53
Security results Pokemon91 iamabeliever 1024scott
![Page 50: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/50.jpg)
54
Security results
![Page 51: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/51.jpg)
55
Usability: Recall after 2—5 days
![Page 52: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/52.jpg)
56
Usability: Creation time
![Page 53: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/53.jpg)
57
Usability: Creation sentiment
![Page 54: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/54.jpg)
Usability
![Page 55: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/55.jpg)
59
Conclusions
• “Dictionary” policies with real-time feedback can help users avoid weak passwords – Usability cost on creation – Telepathwords’ feedback gave insight into password
strength
![Page 56: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/56.jpg)
60
Conclusions
• “Dictionary” policies with real-time feedback can help users make stronger passwords – Usability cost on creation – Telepathwords’ feedback gave insight into password
strength
• Character-class requirements had little to no effect on security using our metrics
![Page 57: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/57.jpg)
61
Microsoft Research
![Page 58: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/58.jpg)
62
Returned after 2-5 days
![Page 59: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/59.jpg)
63
Usability: Stored password
![Page 60: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/60.jpg)
64
Usability: Recall after 2—5 days
Did not store password Stored password
![Page 61: Telepathwords: preventing weak passwords by reading users ......by reading users’ minds . Saranga Komanduri, Richard Shay, Lorrie Faith Cranor, Cormac Herley, Stuart ... • “Dictionary”](https://reader030.vdocument.in/reader030/viewer/2022041022/5ed34626a43dd37c615a5bf7/html5/thumbnails/61.jpg)
65
Usability: Toggled Show Password