Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Overview
  • Proceedings
  • Past Symposia

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab
Tweet

connect with us

"I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab

Authors: 

Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor, Carnegie Mellon University

Abstract: 

Users often make passwords that are easy for attackers to guess. Prior studies have documented features that lead to easily guessed passwords, but have not probed why users craft weak passwords. To understand the genesis of common password patterns and uncover average users’ misconceptions about password strength, we conducted a qualitative interview study. In our lab, 49 participants each created passwords for fictitious banking, email, and news website accounts while thinking aloud. We then interviewed them about their general strategies and inspirations. Most participants had a well-defined process for creating passwords. In some cases, participants consciously made weak passwords. In other cases, however, weak passwords resulted from misconceptions, such as the belief that adding “!” to the end of a password instantly makes it secure or that words that are difficult to spell are more secure than easy-to-spell words. Participants commonly anticipated only very targeted attacks, believing that using a birthday or name is secure if those data are not on Facebook. In contrast, some participants made secure passwords using unpredictable phrases or non-standard capitalization. Based on our data, we identify aspects of password creation ripe for improved guidance or automated intervention.

Blase Ur, Carnegie Mellon University

Fumiko Noma, Carnegie Mellon University

Jonathan Bees, Carnegie Mellon University

Sean M. Segreti, Carnegie Mellon University

Richard Shay, Carnegie Mellon University

Lujo Bauer, Carnegie Mellon University

Nicolas Christin, Carnegie Mellon University

Lorrie Faith Cranor, Carnegie Mellon University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Ur PDF
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us