Zach Parish

Christopher Bonk, Zach Parish, Julie Thorpe et al.

Passphrases offer an alternative to traditional passwords which aim to be stronger and more memorable. However, users tend to choose short passphrases with predictable patterns that may reduce the security they offer. To explore the potential of long passphrases, we formulate a set of passphrase policies and guidelines aimed at supporting their creation and use. Through a 39-day user study we analyze the usability and security of passphrases generated using our policies and guidelines. Our analysis indicates these policies lead to reasonable usability and promising security for some use cases, and that there are some common pitfalls in free-form passphrase creation. Our results suggest that our policies can support the use of long passphrases.

Zach Parish, Amirali Salehi-Abari, Julie Thorpe

Recent work suggests that a type of nudge or priming technique called the presentation effect may potentially improve the security of PassPoints-style graphical passwords. These nudges attempt to prime or non-intrusively bias user password choices (i.e., point selections) by gradually revealing a background image from a particular edge to another edge at password creation time. We conduct a large-scale user study (n=710) to develop further insights into the presence of this effect and to perform the first evaluations of its security impacts. We explore the usability impacts of this effect using the subset (n=100) of participants who returned for all three sessions. Our usability analyses indicate that these priming techniques do not harm usability. Our security analyses reveal that the priming techniques can measurably enhance the security of graphical passwords; however, this effect is dependent on the combination of both the image and priming techniques used.

Zach Parish, Connor Cushing, Shourya Aggarwal et al.

Password guessers are instrumental for assessing the strength of passwords. Despite their diversity and abundance, little is known about how different guessers compare to each other. We perform in-depth analyses and comparisons of the guessing abilities and behavior of password guessers. To extend analyses beyond number of passwords cracked, we devise an analytical framework to compare the types of passwords that guessers generate under various conditions (e.g., limited training data, limited number of guesses, and dissimilar training and target data). Our results show that guessers often produce dissimilar guesses, even when trained on the same data. We leverage this result to show that combinations of computationally-cheap guessers are as effective as computationally intensive guessers, but more efficient. Our insights allow us to provide a concrete set of recommendations for system administrators when performing password checking.