Research utilizes data-driven feedback to help users strengthen passwords

One of the most popular passwords in 2016 was “qwertyuiop”—the string of horizontal letters from the top line of a keyboard. Even though most password meters suggest that it's weak, none offers advice on how to strengthen it.

Researchers from Carnegie Mellon University and the University of Chicago have unveiled technology that offers real-time feedback and advice to help people create better passwords. To evaluate its performance, the team conducted an online study in which they asked more than 4,500 people to use it to create a password.

“Instead of just having a meter say, ‘Your password is bad,’ we thought it would be useful for the meter to say, ‘Here’s why it’s bad, and here’s how you could do better,’” said study co-author Nicolas Christin, professor in engineering and public policy at Carnegie Mellon University.

The study will be presented at this week’s CHI 2017 conference in Denver, where it also will receive a “Best Paper Award.” A demo of the meter can be viewed here.

“The key result is that providing the data-driven feedback actually makes a huge difference in security, compared to just having a password labeled as weak or strong,” said study lead author Blase Ur, assistant professor at the University of Chicago’s Department of Computer Science. “Our new meter led users to create stronger passwords that were no harder to remember than passwords created without the feedback.”

The meter works by employing an artificial neural network: a large, complex map of information that resembles the way neurons behave in the brain. The team conducted a study about this neural network approach that was honored at the USENIX security conference in August 2016. The network “learns” by scanning millions of existing passwords and identifying trends. If the meter detects a characteristic in your password that it knows attackers may guess, it will tell you.

“The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords,” said Ur. “For example, if you change Es to 3s in your password, that’s not going to fool an attacker. The meter will explain how prevalent that substitution is and offer advice on what to do instead.”

The team has open-sourced their meter on GitHub.

“There’s a lot of different tweaking that one could imagine doing for a specific application of the meter,” said Ur. “We’re hoping to do some of that ourselves and also engage other members of the security and privacy community to help contribute to the meter.”

Article was first published by Carnegie Mellon University.