The password game: Negative externalities from weak password practices

Sören Preibusch, Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution


The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites. The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.

Original languageEnglish (US)
Title of host publicationDecision and Game Theory for Security - First International Conference, GameSec 2010, Proceedings
Number of pages16
StatePublished - 2010
Event1st International Conference on Decision and Game Theory for Security, GameSec 2010 - Berlin, Germany
Duration: Nov 22 2010Nov 23 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6442 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other1st International Conference on Decision and Game Theory for Security, GameSec 2010

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'The password game: Negative externalities from weak password practices'. Together they form a unique fingerprint.

Cite this