Abstract
Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.
| Original language | English (US) |
|---|---|
| Title of host publication | CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 196-203 |
| Number of pages | 8 |
| ISBN (Electronic) | 9781450356329 |
| DOIs | |
| State | Published - Mar 2018 |
| Externally published | Yes |
| Event | 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States Duration: Mar 19 2018 → Mar 21 2018 |
Conference
| Conference | 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 |
|---|---|
| Country/Territory | United States |
| City | Tempe |
| Period | 3/19/18 → 3/21/18 |
ASJC Scopus subject areas
- Computer Science Applications
- Information Systems
- Software