Internet Archive Scholar

Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts

Dinei Florêncio, Cormac Herley, Paul C. van Oorschot
2014 USENIX Security Symposium  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (460.4 kB)
https://web.archive.org/web/20210630152234/https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-florencio.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both
more » ... s and user effort. Our findings directly challenge accepted wisdom and conventional advice. We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal. We give an optimal solution for how to group accounts for re-use, and model-based principles for portfolio management.
dblp:conf/uss/FlorencioHO14 fatcat:kwy4ezrsbjdrbdufcgtqbv4ngm
Citation

Dinei Florêncio, Cormac Herley, Paul C. van Oorschot. "Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts." USENIX Security Symposium (2014) 575-590