The password allocation problem: strategies for reusing passwords effectively

Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society Pub Date : 2013-11-04 DOI:10.1145/2517840.2517870

Rishab Nithyanand, Rob Johnson

{"title":"The password allocation problem: strategies for reusing passwords effectively","authors":"Rishab Nithyanand, Rob Johnson","doi":"10.1145/2517840.2517870","DOIUrl":null,"url":null,"abstract":"Each Internet user has, on average, 25 password-protected accounts, but only 6.5 distinct passwords[webhabits]. Despite the advice of security experts, users are obviously re-using passwords across multiple sites. So this paper asks the question: given that users are going to re-use passwords across multiple sites, how should they best allocate those passwords to sites so as to minimize their losses from accidental password disclosures? We provide both theoretical and practical results. First, we provide a mathematical formulation of the Password Allocation (PA) problem and show that it is NP-complete with a reduction via the 3-Partition problem. We then study several special cases and show that the optimal solution is often a contiguous allocation -- i.e., similar accounts share passwords. Next, we evaluate several human- and machine-computable heuristics that have very good performance and produce solutions that are reasonably close to optimal. We find that the human-computable heuristics do not perform nearly as well as the machine-computable heuristics, however, they provide a useful and easy to follow set of guidelines for re-using passwords.","PeriodicalId":406846,"journal":{"name":"Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society","volume":"54 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-11-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2517840.2517870","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Each Internet user has, on average, 25 password-protected accounts, but only 6.5 distinct passwords[webhabits]. Despite the advice of security experts, users are obviously re-using passwords across multiple sites. So this paper asks the question: given that users are going to re-use passwords across multiple sites, how should they best allocate those passwords to sites so as to minimize their losses from accidental password disclosures? We provide both theoretical and practical results. First, we provide a mathematical formulation of the Password Allocation (PA) problem and show that it is NP-complete with a reduction via the 3-Partition problem. We then study several special cases and show that the optimal solution is often a contiguous allocation -- i.e., similar accounts share passwords. Next, we evaluate several human- and machine-computable heuristics that have very good performance and produce solutions that are reasonably close to optimal. We find that the human-computable heuristics do not perform nearly as well as the machine-computable heuristics, however, they provide a useful and easy to follow set of guidelines for re-using passwords.

查看原文本刊更多论文

密码分配问题:有效重用密码的策略

每个互联网用户平均有25个受密码保护的账户，但只有6.5个不同的密码[网络习惯]。不顾安全专家的建议，用户显然在多个网站上重复使用密码。因此，本文提出了一个问题:考虑到用户将在多个站点重复使用密码，他们应该如何最好地将这些密码分配到各个站点，以最大限度地减少因意外密码泄露而造成的损失?我们提供了理论和实践结果。首先，我们给出了密码分配(PA)问题的数学公式，并通过3分区问题的约简证明了它是np完全的。然后，我们研究了几个特殊情况，并表明最优解决方案通常是连续分配——即，相似的帐户共享密码。接下来，我们评估几个人类和机器可计算的启发式算法，它们具有非常好的性能，并产生接近最优的解决方案。我们发现，人类可计算的启发式不如机器可计算的启发式执行得好，然而，它们提供了一套有用且易于遵循的密码重用指南。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

自引率

0.00%

发文量