Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Improving Users' Passwords with DPAR: a Data-driven Password Recommendation System

Assaf Morag, Liron David, Eran Toch, Avishai Wool

TL;DR

DPAR addresses the ongoing challenge of helping users create strong, memorable passwords by recommending small, user-specific edits rather than generating entirely new passwords. It leverages PESrank, a data-driven strength model trained on a corpus of 905 million leaked passwords, to decompose a password into five dimensions and generate 676 candidate tweaks that balance similarity and security. Across two studies (n=317 memorability; n=441 strength/recall), DPAR increased password strength by about 34.8 bits on average and achieved a 36.6% verbatim adoption rate of recommendations, with recall unaffected relative to feedback-only approaches. The work demonstrates that actionable, per-password recommendations can boost security while maintaining usability, though interface design and privacy considerations warrant careful attention for real-world deployment.

Abstract

Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.

Improving Users' Passwords with DPAR: a Data-driven Password Recommendation System

TL;DR

DPAR addresses the ongoing challenge of helping users create strong, memorable passwords by recommending small, user-specific edits rather than generating entirely new passwords. It leverages PESrank, a data-driven strength model trained on a corpus of 905 million leaked passwords, to decompose a password into five dimensions and generate 676 candidate tweaks that balance similarity and security. Across two studies (n=317 memorability; n=441 strength/recall), DPAR increased password strength by about 34.8 bits on average and achieved a 36.6% verbatim adoption rate of recommendations, with recall unaffected relative to feedback-only approaches. The work demonstrates that actionable, per-password recommendations can boost security while maintaining usability, though interface design and privacy considerations warrant careful attention for real-world deployment.

Abstract

Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.
Paper Structure (34 sections, 8 figures, 4 tables, 1 algorithm)

This paper contains 34 sections, 8 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background
  3. Password policies
  4. Nudging users
  5. Measuring passwords
  6. Password creation systems
  7. DPAR Design and Implementation
  8. Password strength modeling
  9. Password Enhancement
  10. Recommendation Generation Process
  11. User Experience
  12. DPAR inputs and configuration
  13. Perceived memorability study
  14. Methodology
  15. Results
  16. ...and 19 more sections

Figures (8)

  • Figure 1: A step-by-step flow of the DPAR user experience, assuming the user initially chose the password "1qaz1qaz"
  • Figure 2: Password Levenshtein distance vs. ranks of perceived memorability, linear regression equation: $y= 0.46X + 1.59$.
  • Figure 3: Password strength vs. users' ranks of passwords' strength.
  • Figure 4: The graphical user interface for the three different feedback+recommendation button variants.
  • Figure 5: Password strength of feedback-only versus feedback+recommendations participants.
  • ...and 3 more figures