Surpass: System-initiated user-replaceable passwords

Jun Ho Huh; Seongyeol Oh; Hyoungshick Kim; Konstantin Beznosov; Apurva Mohan; S. Raj Rajagopalan

doi:10.1145/2810103.2813622

Surpass: System-initiated user-replaceable passwords

Jun Ho Huh
, Seongyeol Oh
, Hyoungshick Kim
, Konstantin Beznosov
, Apurva Mohan
, S. Raj Rajagopalan

Department of Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

36 Scopus citations

Abstract

System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a systeminitiated password scheme called "Surpass" that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

Original language	English
Title of host publication	CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	170-181
Number of pages	12
ISBN (Electronic)	9781450338325
DOIs	https://doi.org/10.1145/2810103.2813622
State	Published - 12 Oct 2015
Event	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 - Denver, United States Duration: 12 Oct 2015 → 16 Oct 2015

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
Volume	2015-October
ISSN (Print)	1543-7221

Conference

Conference	22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
Country/Territory	United States
City	Denver
Period	12/10/15 → 16/10/15

Keywords

Passwords
Policy
Security
Usability

Access to Document

10.1145/2810103.2813622

Cite this

Huh, J. H., Oh, S., Kim, H., Beznosov, K., Mohan, A., & Rajagopalan, S. R. (2015). Surpass: System-initiated user-replaceable passwords. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (pp. 170-181). (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October). Association for Computing Machinery. https://doi.org/10.1145/2810103.2813622

@inproceedings{c9959b4de1c64f1b8d7daba4bd4e3815,

title = "Surpass: System-initiated user-replaceable passwords",

abstract = "System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a systeminitiated password scheme called {"}Surpass{"} that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11\% to 13\% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21\% fewer cracked passwords than the user-generated password policy.",

keywords = "Passwords, Policy, Security, Usability",

author = "Huh, \{Jun Ho\} and Seongyeol Oh and Hyoungshick Kim and Konstantin Beznosov and Apurva Mohan and Rajagopalan, \{S. Raj\}",

year = "2015",

month = oct,

day = "12",

doi = "10.1145/2810103.2813622",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "170--181",

booktitle = "CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security",

note = "22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015 ; Conference date: 12-10-2015 Through 16-10-2015",

}

Huh, JH, Oh, S, Kim, H, Beznosov, K, Mohan, A & Rajagopalan, SR 2015, Surpass: System-initiated user-replaceable passwords. in CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, vol. 2015-October, Association for Computing Machinery, pp. 170-181, 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, Denver, United States, 12/10/15. https://doi.org/10.1145/2810103.2813622

Surpass: System-initiated user-replaceable passwords. / Huh, Jun Ho; Oh, Seongyeol; Kim, Hyoungshick et al.
CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2015. p. 170-181 (Proceedings of the ACM Conference on Computer and Communications Security; Vol. 2015-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Surpass

T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015

AU - Huh, Jun Ho

AU - Oh, Seongyeol

AU - Kim, Hyoungshick

AU - Beznosov, Konstantin

AU - Mohan, Apurva

AU - Rajagopalan, S. Raj

PY - 2015/10/12

Y1 - 2015/10/12

N2 - System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a systeminitiated password scheme called "Surpass" that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

AB - System-generated random passwords have maximum password security and are highly resistant to guessing attacks. However, few systems use such passwords because they are difficult to remember. In this paper, we propose a systeminitiated password scheme called "Surpass" that lets users replace few characters in a random password to make it more memorable. We conducted a large-scale online study to evaluate the usability and security of four Surpass policies, varying the number of character replacements allowed from 1 to 4 in randomly-generated 8-character passwords. The study results suggest that some Surpass policies (with 3 and 4 character replacements) outperform by 11% to 13% the original randomly-generated password policy in memorability, while showing a small increase in the percentage of cracked passwords. When compared to a user-generated password complexity policy (that mandates the use of numbers, symbols, and uppercase letters) the Surpass policy with 4-character replacements did not show statistically significant inferiority in memorability. Our qualitative lab study showed similar trends. This Surpass policy demonstrated significant superiority in security though, with 21% fewer cracked passwords than the user-generated password policy.

KW - Passwords

KW - Policy

KW - Security

KW - Usability

UR - https://www.scopus.com/pages/publications/84954127511

U2 - 10.1145/2810103.2813622

DO - 10.1145/2810103.2813622

M3 - Conference contribution

AN - SCOPUS:84954127511

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 170

EP - 181

BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

Y2 - 12 October 2015 through 16 October 2015

ER -

Huh JH, Oh S, Kim H, Beznosov K, Mohan A, Rajagopalan SR. Surpass: System-initiated user-replaceable passwords. In CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2015. p. 170-181. (Proceedings of the ACM Conference on Computer and Communications Security). doi: 10.1145/2810103.2813622

Surpass: System-initiated user-replaceable passwords

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this