Your culture is in your password: An analysis of a demographically-diverse password dataset

Mashael Alsabah, Gabriele Oligeri, Ryan Riley

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.

Original languageEnglish
Pages (from-to)427-441
Number of pages15
JournalComputers and Security
Volume77
DOIs
Publication statusPublished - 1 Aug 2018

Fingerprint

Metadata
Electronic mail
Linguistics
online service
speaking
bank
linguistics
Group

Keywords

  • Authentication
  • Authorization
  • Password security
  • Passwords analytics
  • Usable security

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Cite this

Your culture is in your password : An analysis of a demographically-diverse password dataset. / Alsabah, Mashael; Oligeri, Gabriele; Riley, Ryan.

In: Computers and Security, Vol. 77, 01.08.2018, p. 427-441.

Research output: Contribution to journalArticle

@article{5b686a11c5584385ac42c8062503911c,
title = "Your culture is in your password: An analysis of a demographically-diverse password dataset",
abstract = "A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.",
keywords = "Authentication, Authorization, Password security, Passwords analytics, Usable security",
author = "Mashael Alsabah and Gabriele Oligeri and Ryan Riley",
year = "2018",
month = "8",
day = "1",
doi = "10.1016/j.cose.2018.03.014",
language = "English",
volume = "77",
pages = "427--441",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Your culture is in your password

T2 - An analysis of a demographically-diverse password dataset

AU - Alsabah, Mashael

AU - Oligeri, Gabriele

AU - Riley, Ryan

PY - 2018/8/1

Y1 - 2018/8/1

N2 - A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.

AB - A large number of studies on passwords make use of passwords leaked by attackers who compromised online services. Frequently, these leaks contain only the passwords themselves, or basic information such as usernames or email addresses. While metadata-rich leaks exist, they are often limited in the variety of demographics they cover. In this work, we analyze a meta-data rich data leak from a Middle Eastern bank with a demographically-diverse user base. We provide an analysis of passwords created by groups of people of different cultural backgrounds, some of which are under-represented in existing data leaks, e.g., Arab, Filipino, Indian, and Pakistani. The contributions provided by this work are many-fold. First, our results contribute to the existing body of knowledge regarding how users include personal information in their passwords. Second, we illustrate the differences that exist in how users from different cultural/linguistic backgrounds create passwords. Finally, we study the (empirical and theoretical) guessability of the dataset based on two attacker models, and show that a state of the art password strength estimator inflates the strength of passwords created by users from non-English speaking backgrounds. We improve its estimations by training it with contextually relevant information.

KW - Authentication

KW - Authorization

KW - Password security

KW - Passwords analytics

KW - Usable security

UR - http://www.scopus.com/inward/record.url?scp=85047259015&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047259015&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2018.03.014

DO - 10.1016/j.cose.2018.03.014

M3 - Article

AN - SCOPUS:85047259015

VL - 77

SP - 427

EP - 441

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -