Abstract
The combination of username and password is widely used as a human authentication mechanism on the Web. Despite this universal adoption and despite their long tradition, password schemes exhibit a high number of security flaws which jeopardise the confidentiality and integrity of personal information. As Web users tend to reuse the same password for several sites, security negligence at any one site introduces a negative externality into the entire password ecosystem. We analyse this market inefficiency as the equilibrium between password deployment strategies at security-concerned Web sites and indifferent Web sites.
The game-theoretic prediction is challenged by an empirical analysis. By a manual inspection of 150 public Web sites that offer free yet password-protected sign-up, complemented by an automated sampling of 2184 Web sites, we demonstrate that observed password practices follow the theory: Web sites that have little incentive to invest in security are indeed found to have weaker password schemes, thereby facilitating the compromise of other sites. We use the theoretical model to explore which technical and regulatory approaches could eliminate the empirically detected inefficiency in the market for password protection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
BugMeNot (February 2010)
Facebook Connect (2010), http://www.facebook.com/advertising/?connect
Windows Live Solution Center: Creating a strong password for your e-mail account (September 2010), http://windowslivehelp.com/solution.aspx?solutionid=3ca67154-2ee7-4da4-%8b95-f8aef17a71bc
Yahoo! Password Help (September 2010), http://help.yahoo.com/l/us/yahoo/abuse/password/faq.html
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS 2010 (2010)
Bundesamt für Sicherheit in der Informationstechnik (BSI) (Federal Office for Information Security). IT-Grundschutz Catalogues (2005)
Burr, W.E., Dodson, D.F., Timothy Polk, W.: Electronic Authentication Guideline. NIST Special Publication 800-63 (April 2006)
Chaos Computer Club (CCC). Datenbrief (January 2010), http://www.ccc.de/datenbrief
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)
Gaw, S., Felten, E.W.: Password Management Strategies for Online Accounts. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 44–55. ACM, New York (2006)
Notoatmodjo, G., Thomborson, C.: Passwords and Perceptions. In: Brankovic, L., Susilo, W. (eds.) Seventh Australasian Information Security Conference (AISC 2009), Wellington, New Zealand. CRPIT, vol. 98, pp. 71–78. ACS (2009)
Prince, B.: Twitter Details Phishing Attacks Behind Password Reset. eWeek (January 2010)
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, New York (2006)
Riley, S.: Password Security: What Users Know and What They Actually Do. Usability News 8(1) (2006)
Vance, A.: If Your Password Is 123456, Just Make It HackMe. The New York Times (January 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Preibusch, S., Bonneau, J. (2010). The Password Game: Negative Externalities from Weak Password Practices. In: Alpcan, T., Buttyán, L., Baras, J.S. (eds) Decision and Game Theory for Security. GameSec 2010. Lecture Notes in Computer Science, vol 6442. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17197-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-17197-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17196-3
Online ISBN: 978-3-642-17197-0
eBook Packages: Computer ScienceComputer Science (R0)