The Password Doesn't Fall Far: How Service Influences Password Choice

Miranda Wei, Maximilian Golla, Blase Ur

Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018


Abstract

Users often create passwords based on familiar words or things they like, using these passwords across many web services. But does the type of web service influence how users construct their password? In this paper, we observe how and how often passwords are specific to the services for which they were created. We analyze leaked passwords from five web services. We find that passwords from each service reflect the category of the service, often by including the name or semantic theme of the service. Through a qualitative analysis of passwords, we further identify unique characteristics of the passwords created for each service. Service-specific passwords can reveal other shared interests or demographics of that service's userbase. This contextual perspective on password creation suggests improvements for site-specific blacklists and password-strength meters.

[PDF] [Slides]

tags: esblacklists, password choice, service-specific passwords