Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts

Friday, August 1, 2014 - 10:15am
Authors: 

Dinei Florêncio and Cormac Herley, Microsoft Research; Paul C. van Oorschot, Carleton University

Abstract: 

We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for portfolio management.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Florêncio PDF
View the slides
BibTeX
@inproceedings {184477,
author = {Dinei Flor{\^e}ncio and Cormac Herley and Paul C. van Oorschot},
title = {Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts},
booktitle = {23rd {USENIX} Security Symposium ({USENIX} Security 14)},
year = {2014},
isbn = {978-1-931971-15-7},
address = {San Diego, CA},
pages = {575--590},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/florencio},
publisher = {{USENIX} Association},
month = aug,
}
Download

Presentation Video

Download Video

Presentation Audio