The Tangled Web of Password Reuse

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, Xiao Feng Wang

Research output: Contribution to conferencePaperpeer-review


Today’s Internet services rely heavily on text-based passwords for user authentication. The pervasiveness of these services coupled with the difficulty of remembering large numbers of secure passwords tempts users to reuse passwords at multiple sites. In this paper, we investigate for the first time how an attacker can leverage a known password from one site to more easily guess that user’s password at other sites. We study several hundred thousand leaked passwords from eleven web sites and conduct a user survey on password reuse; we estimate that 43-51% of users reuse the same password across multiple sites. We further identify a few simple tricks users often employ to transform a basic password between sites which can be used by an attacker to make password guessing vastly easier. We develop the first cross-site password-guessing algorithm, which is able to guess 30% of transformed passwords within 100 attempts compared to just 14% for a standard password-guessing algorithm without cross-site password knowledge.

Original languageEnglish (US)
StatePublished - 2014
Event21st Annual Network and Distributed System Security Symposium, NDSS 2014 - San Diego, United States
Duration: Feb 23 2014Feb 26 2014


Conference21st Annual Network and Distributed System Security Symposium, NDSS 2014
Country/TerritoryUnited States
CitySan Diego

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'The Tangled Web of Password Reuse'. Together they form a unique fingerprint.

Cite this