The password game: Negative externalities from weak password practices

Sören Preibusch, Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.

Original languageEnglish (US)
Title of host publicationDecision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings
Pages192-207
Number of pages16
Volume6442 LNCS
DOIs
StatePublished - 2010
Event1st International Conference on Decision and Game Theory for Security, GameSec 2010 - Berlin, Germany
Duration: Nov 22 2010Nov 23 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6442 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other1st International Conference on Decision and Game Theory for Security, GameSec 2010
CountryGermany
CityBerlin
Period11/22/1011/23/10

Fingerprint

Externalities
Password
Websites
Game
Ecosystems
Authentication
Inspection
Sampling
Defects
Confidentiality
Empirical Analysis
Incentives
Ecosystem
Theoretical Model
Integrity
Reuse
Eliminate
Entire
Tend
Prediction

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Preibusch, S., & Bonneau, J. (2010). The password game: Negative externalities from weak password practices. In Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings (Vol. 6442 LNCS, pp. 192-207). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6442 LNCS). https://doi.org/10.1007/978-3-642-17197-0_13

The password game : Negative externalities from weak password practices. / Preibusch, Sören; Bonneau, Joseph.

Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings. Vol. 6442 LNCS 2010. p. 192-207 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6442 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Preibusch, S & Bonneau, J 2010, The password game: Negative externalities from weak password practices. in Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings. vol. 6442 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6442 LNCS, pp. 192-207, 1st International Conference on Decision and Game Theory for Security, GameSec 2010, Berlin, Germany, 11/22/10. https://doi.org/10.1007/978-3-642-17197-0_13
Preibusch S, Bonneau J. The password game: Negative externalities from weak password practices. In Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings. Vol. 6442 LNCS. 2010. p. 192-207. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-17197-0_13
Preibusch, Sören ; Bonneau, Joseph. / The password game : Negative externalities from weak password practices. Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings. Vol. 6442 LNCS 2010. pp. 192-207 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{9459cae60bbc4c3d83204fe0ee732a5e,
title = "The password game: Negative externalities from weak password practices",
abstract = "The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.",
author = "S{\"o}ren Preibusch and Joseph Bonneau",
year = "2010",
doi = "10.1007/978-3-642-17197-0_13",
language = "English (US)",
isbn = "3642171966",
volume = "6442 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "192--207",
booktitle = "Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings",

}

TY - GEN

T1 - The password game

T2 - Negative externalities from weak password practices

AU - Preibusch, Sören

AU - Bonneau, Joseph

PY - 2010

Y1 - 2010

N2 - The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.

AB - The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.

UR - http://www.scopus.com/inward/record.url?scp=78650745563&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=78650745563&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-17197-0_13

DO - 10.1007/978-3-642-17197-0_13

M3 - Conference contribution

AN - SCOPUS:78650745563

SN - 3642171966

SN - 9783642171963

VL - 6442 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 192

EP - 207

BT - Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings

ER -