The next domino to fall: Empirical analysis of user passwords across online services

Chun Wang; Steve T.K. Jan; Hang Hu; Douglas Bossart; Gang Wang

doi:10.1145/3176258.3176332

The next domino to fall: Empirical analysis of user passwords across online services

Chun Wang
, Steve T.K. Jan
, Hang Hu
, Douglas Bossart
, Gang Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.

Original language	English (US)
Title of host publication	CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
Publisher	Association for Computing Machinery
Pages	196-203
Number of pages	8
ISBN (Electronic)	9781450356329
DOIs	https://doi.org/10.1145/3176258.3176332
State	Published - Mar 2018
Externally published	Yes
Event	8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States Duration: Mar 19 2018 → Mar 21 2018

Conference

Conference	8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
Country/Territory	United States
City	Tempe
Period	3/19/18 → 3/21/18

ASJC Scopus subject areas

Computer Science Applications
Information Systems
Software

Online availability

10.1145/3176258.3176332

Library availability

Discover UIUC Full Text

Cite this

The next domino to fall: Empirical analysis of user passwords across online services. / Wang, Chun; Jan, Steve T.K.; Hu, Hang et al.
CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, 2018. p. 196-203.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Wang, C, Jan, STK, Hu, H, Bossart, D & Wang, G 2018, The next domino to fall: Empirical analysis of user passwords across online services. in CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, pp. 196-203, 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018, Tempe, United States, 3/19/18. https://doi.org/10.1145/3176258.3176332

@inproceedings{9df216cff291448d9da2afd23318e397,

title = "The next domino to fall: Empirical analysis of user passwords across online services",

abstract = "Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52\% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30\% of the modified passwords) can be cracked within just 10 guesses.",

author = "Chun Wang and Jan, \{Steve T.K.\} and Hang Hu and Douglas Bossart and Gang Wang",

note = "This project was supported by NSF grant CNS-1717028. Any opinions, conclusions or recommendations expressed in this material do not necessarily reflect the views of the funding agency.; 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 ; Conference date: 19-03-2018 Through 21-03-2018",

year = "2018",

month = mar,

doi = "10.1145/3176258.3176332",

language = "English (US)",

pages = "196--203",

booktitle = "CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy",

publisher = "Association for Computing Machinery",

address = "United States",

}

TY - GEN

T1 - The next domino to fall

T2 - 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018

AU - Wang, Chun

AU - Jan, Steve T.K.

AU - Hu, Hang

AU - Bossart, Douglas

AU - Wang, Gang

N1 - This project was supported by NSF grant CNS-1717028. Any opinions, conclusions or recommendations expressed in this material do not necessarily reflect the views of the funding agency.

PY - 2018/3

Y1 - 2018/3

N2 - Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.

AB - Leaked passwords from data breaches can pose a serious threat if users reuse or slightly modify the passwords for other services. With more services getting breached today, there is still a lack of a quantitative understanding of this risk. In this paper, we perform the first large-scale empirical analysis of password reuse and modification patterns using a ground-truth dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. We find that password reuse and modification is very common (observed on 52% of the users). Sensitive online services such as shopping websites and email services received the most reused and modified passwords. We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach. Finally, to quantify the security risks, we develop a new training-based guessing algorithm. We show that more than 16 million password pairs (including 30% of the modified passwords) can be cracked within just 10 guesses.

UR - https://www.scopus.com/pages/publications/85050406631

UR - https://www.scopus.com/pages/publications/85050406631#tab=citedBy

U2 - 10.1145/3176258.3176332

DO - 10.1145/3176258.3176332

M3 - Conference contribution

AN - SCOPUS:85050406631

SP - 196

EP - 203

BT - CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery

Y2 - 19 March 2018 through 21 March 2018

ER -

The next domino to fall: Empirical analysis of user passwords across online services

Abstract

Conference

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this