how does y our password m easure up

HOW DOES YOUR PASSWORD MEASURE UP

The Effect of Strength Meters on Password Creation

Rui Xie

Password Meters• Users could receive feedback when creating password• Users could create “STRONG” password by password

meters• Widely used• Different shapes and sizes

Primary Research Questions• The affection of password on:

• Composition• Guessability• Creation Process• Memorability• User Sentiment

• Important elements of meter design

Methodology• 2931 participants online study• Between-subjects design• Study in 2 parts, last 2 more days

• Part 1: create a password and take a survey about creation(48hours)

• Part 2: re-enter password and answer a survey on remembering password

Conditions• Control conditions

• Visual differences

• Scoring differences

• Both Visual & Scoring differences

Control Conditions• Conditions to which all others were compared

• No meter: no feedback

• Baseline meter: stand password meter

Visual Differences• Three-segment• Green• Tiny• Huge• No suggestions• Text-only• Bunny condition

Scoring differences• Half-score• One-third-score• Nudge-16• Nudge-comp8

Visual & Scoring differences• Text-only-half• Bold-text-only-half

Stringent Meters• Half-score

• One-third-score

• Text-only-half

• Bold text-only-half

Metrics for Results• Composition

• Guessability

• Creation process

• Memorability

• Sentiment

Composition• Password length

Guessability• Threat model: offline attack• Weak adversary: 500 million guesses• Medium adversary: 50 billion guesses • Strong adversary: 5 trillion guesses

Results of Guessability (Visual)

Results of Guessability (Scoring)

Results of Guessability (Stringent)

Process of Creating Password• Time of creating password• Changing mind during creating password

Time of creating password Change mind

Memorability• After 5 minutes still remember and 2 days later has the

same effect• Return rate• Write password down or use electronic devices to record

it

Sentiment• Different level of agreement with 14 statements on

password creation and password meter• Results

• Stringent meters a bit more annoying• Stringent meters violate expections

Meters Matter• Meters leads to longer password• Stringent meters reduce guessability• Memorability will not be affect by maters• Overly stringent meters don’t add benefits