Chi-en Amy Tai (University of Waterloo), Urs Hengartner (University of Waterloo), Alexander Wong (University of Waterloo)

Passwords are a ubiquitous form of authentication that is still present for many online services and platforms. Researchers have measured password creation policies for a multitude of websites and studied password creation behaviour for users who speak various languages. Evidence shows that limiting all users to alphanumeric characters and select special characters resulted in weaker passwords for certain demographics. However, password creation policies still concentrate on only alphanumeric characters and focus on increasing the length of passwords rather than the diversity of potential characters in the password. With the recent recommendation towards passphrases, further concerns arise pertaining to the potential consequences of not being inclusive in password creation. Previous work studying multilingual passphrase policies that combined English and African languages showed that multilingual passphrases are more user-friendly and also more difficult to guess than a passphrase based on a single language. However, their work only studied passphrases based on standard alphanumeric characters. In this paper, we measure the password strength of using a multilingual passphrase that contains characters outside of the standard alphanumeric characters and assess the availability of such multilingual passwords for websites with free account creation in the Tranco top 50 list and the Semrush top 20 websites in China list. We find that password strength meters like zxcvbn and MultiPSM surprisingly struggle with correctly assessing the strength of non-English-only passphrases with MultiPSM encountering an encoding issue with non-alphanumeric characters. In addition, we find that half of all tested valid websites accept multilingual passphrases but three websites struggled in general due to imposing a maximum password character limitation.

View More Papers

NDSS Symposium 2025 Welcome and Opening Remarks

General Chairs: David Balenson, USC Information Sciences Institute and Heng Yin, University of California, Riverside Program Chairs: Christina Pöpper, New York University Abu Dhabi and Hamed Okhravi, MIT Lincoln Laboratory Artifact Evaluation Chairs: Daniele Cono D’Elia, Sapienza University and Mathy Vanhoef, KU Leuven

Read More

The Midas Touch: Triggering the Capability of LLMs for...

Yi Yang (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China), Jinghua Liu (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China), Kai Chen (Institute of Information Engineering, Chinese Academy of…

Read More

SecuWear: Secure Data Sharing Between Wearable Devices

Sujin Han (KAIST) Diana A. Vasile (Nokia Bell Labs), Fahim Kawsar (Nokia Bell Labs, University of Glasgow), Chulhong Min (Nokia Bell Labs)

Read More