A Wild Password Appears

Here is my overview of the paper Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat by Pearman et al. recently presented at ACM CCS’17.

Paper

This is a report on a study of 154 participants’ password usage behaviours over a significant period — minimum 30, average 147 days each. The most interesting things researchers looked into were a problem of password reuse, what attributes (e.g. length, composition, strength) correlate with it, and also whether the use of password managers or autofill in the browser affects reuse and password’s strength.

Piggybacking another ongoing longitudinal study called Security Behavior Observatory, authors installed browser extensions on personal computers of participants that collected for every used password its salted hash, composition, strength as well as hashes of all of its substrings. They also checked downloads against Google Safe Browsing API and “file hashes from users’ filesystems to results in VirusTotal’ database,” but don’t provide any more details on the latter part.

Results are rather upsetting:

Notes

I don’t have strong arguments for this, but I feel like the way authors aggregate data for analysis, — computing mean for each participant separately and then mean, median and standard deviation of these means, — could introduce artefacts, but they don’t address this. I’ll try to investigate this later.

Also, I don’t think we can make any conclusions about password managers and autofill. In the Methodology section, authors say that keystroke data collection, a dataset that later allowed distinguishing a copy-paste or autofill from the regular password input, was done during just the last seven weeks of the study. It’s not clear how they were detecting a presence of password manager (using keystroke data or not?), but only 19 participants had them. I’d say there’s still not enough data on this.