Hierarchy of users' web passwords: Perceptions, practices and susceptibilities

S. M.Taiabul Haque; Matthew Wright; Shannon Scielzo

doi:10.1016/j.ijhcs.2014.07.007

Hierarchy of users' web passwords: Perceptions, practices and susceptibilities

S. M.Taiabul Haque, Matthew Wright, Shannon Scielzo

Research output: Contribution to journal › Article › peer-review

22 Scopus citations

Abstract

In this study, we propose a hierarchy of password importance, and we use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. We asked subjects to construct passwords for websites at both levels. Leveraging the lower-level passwords along with a dictionary attack, we successfully cracked almost one-third of the subjects' higher-level passwords. In a survey, subjects reported frequently reusing higher-level passwords, with or without modifications, as well as using a similar process to construct both levels of passwords. We thus conclude that unsafely shared or leaked lower-level passwords can be used by attackers to crack higher-level passwords.

Original language	English (US)
Pages (from-to)	860-874
Number of pages	15
Journal	International Journal of Human Computer Studies
Volume	72
Issue number	12
DOIs	https://doi.org/10.1016/j.ijhcs.2014.07.007
State	Published - Dec 2014

Keywords

Password
Security
Survey
Usability

ASJC Scopus subject areas

Software
Human Factors and Ergonomics
Education
Engineering(all)
Human-Computer Interaction
Hardware and Architecture

Access to Document

10.1016/j.ijhcs.2014.07.007

Cite this

@article{32b4e73c4edf40689a5b69d3a29838e9,

title = "Hierarchy of users' web passwords: Perceptions, practices and susceptibilities",

abstract = "In this study, we propose a hierarchy of password importance, and we use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. We asked subjects to construct passwords for websites at both levels. Leveraging the lower-level passwords along with a dictionary attack, we successfully cracked almost one-third of the subjects' higher-level passwords. In a survey, subjects reported frequently reusing higher-level passwords, with or without modifications, as well as using a similar process to construct both levels of passwords. We thus conclude that unsafely shared or leaked lower-level passwords can be used by attackers to crack higher-level passwords.",

keywords = "Password, Security, Survey, Usability",

author = "Haque, {S. M.Taiabul} and Matthew Wright and Shannon Scielzo",

note = "Funding Information: This material is based upon work supported by the National Science Foundation (NSF) under Grant No. CNS-1117866.",

year = "2014",

month = dec,

doi = "10.1016/j.ijhcs.2014.07.007",

language = "English (US)",

volume = "72",

pages = "860--874",

journal = "International Journal of Human Computer Studies",

issn = "1071-5819",

publisher = "Academic Press Inc.",

number = "12",

}

TY - JOUR

T1 - Hierarchy of users' web passwords

T2 - Perceptions, practices and susceptibilities

AU - Haque, S. M.Taiabul

AU - Wright, Matthew

AU - Scielzo, Shannon

N1 - Funding Information: This material is based upon work supported by the National Science Foundation (NSF) under Grant No. CNS-1117866.

PY - 2014/12

Y1 - 2014/12

N2 - In this study, we propose a hierarchy of password importance, and we use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. We asked subjects to construct passwords for websites at both levels. Leveraging the lower-level passwords along with a dictionary attack, we successfully cracked almost one-third of the subjects' higher-level passwords. In a survey, subjects reported frequently reusing higher-level passwords, with or without modifications, as well as using a similar process to construct both levels of passwords. We thus conclude that unsafely shared or leaked lower-level passwords can be used by attackers to crack higher-level passwords.

AB - In this study, we propose a hierarchy of password importance, and we use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. We asked subjects to construct passwords for websites at both levels. Leveraging the lower-level passwords along with a dictionary attack, we successfully cracked almost one-third of the subjects' higher-level passwords. In a survey, subjects reported frequently reusing higher-level passwords, with or without modifications, as well as using a similar process to construct both levels of passwords. We thus conclude that unsafely shared or leaked lower-level passwords can be used by attackers to crack higher-level passwords.

KW - Password

KW - Security

KW - Survey

KW - Usability

UR - http://www.scopus.com/inward/record.url?scp=84908317062&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84908317062&partnerID=8YFLogxK

U2 - 10.1016/j.ijhcs.2014.07.007

DO - 10.1016/j.ijhcs.2014.07.007

M3 - Article

AN - SCOPUS:84908317062

SN - 1071-5819

VL - 72

SP - 860

EP - 874

JO - International Journal of Human Computer Studies

JF - International Journal of Human Computer Studies

IS - 12

ER -

Hierarchy of users' web passwords: Perceptions, practices and susceptibilities

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this