TY - GEN
T1 - The password game
T2 - 1st International Conference on Decision and Game Theory for Security, GameSec 2010
AU - Preibusch, Sören
AU - Bonneau, Joseph
PY - 2010
Y1 - 2010
N2 - The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.
AB - The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.
UR - http://www.scopus.com/inward/record.url?scp=78650745563&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=78650745563&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-17197-0_13
DO - 10.1007/978-3-642-17197-0_13
M3 - Conference contribution
AN - SCOPUS:78650745563
SN - 3642171966
SN - 9783642171963
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 192
EP - 207
BT - Decision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings
Y2 - 22 November 2010 through 23 November 2010
ER -