The next domino to fall: Empirical analysis of user passwords across online services

Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, Gang Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.

Original languageEnglish (US)
Title of host publicationCODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages196-203
Number of pages8
ISBN (Electronic)9781450356329
DOIs
StatePublished - Mar 13 2018
Externally publishedYes
Event8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States
Duration: Mar 19 2018Mar 21 2018

Publication series

NameCODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
Volume2018-January

Conference

Conference8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Country/TerritoryUnited States
CityTempe
Period3/19/183/21/18

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'The next domino to fall: Empirical analysis of user passwords across online services'. Together they form a unique fingerprint.

Cite this