Blase Ur, Neubauer Family Assistant Professor of Computer Science, received a Best Paper Award at CHI 2017, the prestigious ACM conference on computer-human interaction, held in Denver earlier this month. The paper, titled “Design and Evaluation of a Data-Driven Password Meter,” describes research that will help users select more secure and no less memorable passwords. Ur is the lead author of the paper, which was written with colleagues at Carnegie Mellon University.
The paper builds on previous work, by Ur and coauthors, titled “Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks,” which was presented at the USENIX Security Symposium in 2016 and received a Best paper award there.
That paper proposed using neural networks to simulate a password-guessing attack, which “we hypothesized would let us model in a principled way how humans create passwords using a compact model that could run entirely on the user's computer,” says Ur.
The CHI 2017 paper started with their previous neural network algorithm, but, as Ur explains, “the ultimate goal was to give users explanations for why their password was strong or weak, a task that neural networks do not do.”
“Thus, the CHI 2017 paper augmented the neural network with 21 different structural and semantic characteristics that are common in passwords, and by evaluating these we could also give intelligible explanations to users about why their password is weak. We then designed an interface to present this information and conducted an online, remote user study with 4,509 subjects in which each subject created a password that they had to try to remember at least two days later. We measured a number of aspects of both the security and usability of the passwords users created, finding that the meter we had designed led to much stronger, yet equally memorable, passwords compared to the types of password meters that are widely deployed today.”
More information can be found in an article published by UChicago News and CMU. Read the article here.