Author(s): Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, Lorrie Cranor

Download: Paper (PDF)

Date: 26 Feb 2017

Document Type: Reports

Additional Documents: Slides

Associated Event: NDSS Symposium 2017


Attackers often target common passwords in guessing attacks, leading some website administrators to make common passwords ineligible for use on their sites. While past research has shown that adding such blacklists to a password policy generally makes resulting passwords harder to guess, it is important to understand whether users go on to create significantly stronger passwords, or ones that are only marginally better. In this paper, we investigate how users change the composition and strength of their passwords after a blacklisted password attempt. Additionally, we analyze differences in sentiment toward password creation based on whether a user created a blacklisted password. Our examination utilizes data collected from a previous online study evaluating various design features of a password meter through a password creation task. We analyzed 2,280 password creation sessions and found that participants who reused even a modified version of a blacklisted attempt during the task ultimately created significantly weaker passwords than those who did not attempt to use a blacklisted password. Our results also indicate that text feedback provided by a password meter mitigated this effect.