Chi-en Amy Tai (University of Waterloo), Urs Hengartner (University of Waterloo), Alexander Wong (University of Waterloo)

Passwords are a ubiquitous form of authentication that is still present for many online services and platforms. Researchers have measured password creation policies for a multitude of websites and studied password creation behaviour for users who speak various languages. Evidence shows that limiting all users to alphanumeric characters and select special characters resulted in weaker passwords for certain demographics. However, password creation policies still concentrate on only alphanumeric characters and focus on increasing the length of passwords rather than the diversity of potential characters in the password. With the recent recommendation towards passphrases, further concerns arise pertaining to the potential consequences of not being inclusive in password creation. Previous work studying multilingual passphrase policies that combined English and African languages showed that multilingual passphrases are more user-friendly and also more difficult to guess than a passphrase based on a single language. However, their work only studied passphrases based on standard alphanumeric characters. In this paper, we measure the password strength of using a multilingual passphrase that contains characters outside of the standard alphanumeric characters and assess the availability of such multilingual passwords for websites with free account creation in the Tranco top 50 list and the Semrush top 20 websites in China list. We find that password strength meters like zxcvbn and MultiPSM surprisingly struggle with correctly assessing the strength of non-English-only passphrases with MultiPSM encountering an encoding issue with non-alphanumeric characters. In addition, we find that half of all tested valid websites accept multilingual passphrases but three websites struggled in general due to imposing a maximum password character limitation.

View More Papers

EMMasker: EM Obfuscation Against Website Fingerprinting

Mohammed Aldeen, Sisheng Liang, Zhenkai Zhang, Linke Guo (Clemson University), Zheng Song (University of Michigan – Dearborn), and Long Cheng (Clemson University)

Read More

Towards Understanding Unsafe Video Generation

Yan Pang (University of Virginia), Aiping Xiong (Penn State University), Yang Zhang (CISPA Helmholtz Center for Information Security), Tianhao Wang (University of Virginia)

Read More

“Do We Call Them That? Absolutely Not.”: Juxtaposing the...

Alexandra Klymenko (Technical University of Munich), Stephen Meisenbacher (Technical University of Munich), Luca Favaro (Technical University of Munich), and Florian Matthes (Technical University of Munich)

Read More

Uncovering the iceberg from the tip: Generating API Specifications...

Miaoqian Lin (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China), Kai Chen (Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, China), Yi Yang (Institute of Information Engineering, Chinese Academy of…

Read More