One of the most popular passwords in 2016 was "qwertyuiop," even though most password meters will tell say it's a weak choice. The problem is that no existing meters offer any good advice to make it better — until now.
Researchers from Carnegie Mellon University and the University of Chicago have unveiled a new, state-of-the-art password meter that offers real-time feedback and advice to help people create better passwords. To evaluate its performance, the team conducted an online study in which they asked 4,509 people to use the meter to create a password.
"Instead of having a meter say, 'Your password is bad,' we thought it would be useful for the meter to say, 'Here's why it's bad and here's how you could do better,'" said study co-author Nicolas Christin, a CyLab Security and Privacy Institute faculty member and professor in Carnegie Mellon's Engineering and Public Policy Department and the Institute for Software Research.
The study will be presented at this week's CHI 2017, the Conference on Human Factors in Computing Systems, in Denver, where it will also receive a Best Paper award. A demo of the meter can be viewed on the CyLab Usable Privacy and Security Laboratory website.
"The key result is that providing the data-driven feedback actually makes a huge difference in security compared to just having a password labeled as weak or strong," said Blase Ur, a former CyLab graduate student who was lead author on the study and is now an assistant professor in the University of Chicago's Department of Computer Science. "Our new meter led users to create stronger passwords that were no harder to remember than passwords created without the feedback."
The meter employs an artificial neural network — a large, complex map of information that resembles the way neurons behave in the brain. The network "learns" by scanning millions of existing passwords and identifying trends. If the meter detects a characteristic in a password that it knows attackers may guess, it tells the user.
"The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords," Ur said. "For example, if you change 'Es' to '3s' in your password, that's not going to fool an attacker. The meter will explain how prevalent that substitution is and offer advice on what to do instead."
This data-driven feedback is presented in real-time, as a user is typing a password.
The team has open-sourced its meter on GitHub.
"There's a lot of different tweaking one could imagine doing for a specific application of the meter," Ur said. "We're hoping to do some of that ourselves, and also engage other members of the security and privacy community to help contribute to the meter."
Other authors on the study included current CMU students Jessica Colnago, Henry Dixon, Pardis Emami-Naeini, Hana Habib, Noah Johnson and William Melicher; former CMU students Felicia Alfieri and Maung Aung; and Lujo Bauer, associate professor in the ISR and the Electrical and Computer Engineering Department; and Lorrie Faith Cranor, professor of computer science and engineering and public policy.