Professor Lorrie Cranor gives lecture on password security

Lorrie Cranor stands in front of her quilt that depicts the frequencies of passwords in their respective sizes. (credit: Lorrie Cranor) Lorrie Cranor stands in front of her quilt that depicts the frequencies of passwords in their respective sizes. (credit: Lorrie Cranor)

Lorrie Cranor, computer science and engineering and public policy professor at Carnegie Mellon University, led a seminar hosted by Carnegie Mellon's Human-Computer Interaction Institution on the study of password security on Feb. 11.

This past January, the national health insurance company Anthem noticed that their cyber systems had been breached, and that the security of over 80 million records ranging from the names of customers to their social security numbers had been compromised. In this digital age, where virtual information can be unlocked with a simple password consisting of numbers, alphabetical characters, and occasional symbols, cyber attacks are very dangerous for anyone who has ever used an internet service.

Companies that hold critical information about their clients depend on some form of password protection for their databases. Although their security systems may not simply be a line of characters, the idea of passwords exists in every database to protect businesses. Personal information, including credit card and social security numbers, is often stolen due to cyber attacks. These hackers are able to implement effective cracking algorithms that allow them to make billions of guesses offline. The most obvious question that researchers in cyber security and privacy look to is the question of “How can we prevent cyber attacks?” But how exactly do these researchers find information about passwords since they are kept so hidden from the public?

It turns out that pursuing research in the subject of passwords proves rather challenging and questionable. The fact that people are told to not disclose their passwords makes the study of them complicated. Most studies that ask for people to create passwords often receive superficial or questionable responses.

Cranor's research at Carnegie Mellon was able to bypass this obstacle by successfully producing a study on actual data sets of passwords. After negotiating for two years with Carnegie Mellon’s Information Security Office (ISO), her research team was able to access data from Student Information Online (SIO) indirectly, meaning over 25,000 personal and active passwords of faculty, staff, and students and over 17,000 deactivated passwords under Carnegie Mellon’s system contributed to Cranor’s study on passwords. However, in order to not violate ethical codes and the personal privacy of people, their research team developed a system that accesses this data in an atypical manner.

The data set of passwords never actually reached the eyes of any researcher in Cranor’s department. Instead, a black box system consisting of analytic algorithms were installed into a locked up computer, isolated from both virtual and physical contact. This system was only audited by the Information Security Office (ISO) director who, after reviewing and gathering the necessary data, provided Cranor and her staff the findings on paper. Statistics on the vulnerability, otherwise known as the “guessability,” of passwords were derived from this study. For example, the findings showed that business majors created passwords 1.8 times weaker than computer science majors, and males made passwords 1.1 times stronger than females. With demographic data upheld in SIO’s database, many statistical facts can be easily accessed and contributed to this study.

Cranor’s research team also approached this study with Amazon’s Mechanical Turk (M-Turk) program, which gives researchers, developers, and businesses a scalable, on-demand workforce. By conducting a public survey involving specific conditions, their team found information on the strengths of different types of passwords. Essentially, participants of this survey were asked to come in, create a password, and answer survey questions about the passwords that they made. Specific conditions were given to participants, dictating how their passwords could be made. Some requirements included users making passwords sixteen characters long, a standard known as basic16, while some others were required to make a password stretching eight characters long with the inclusion of a special character and a number, known as comprehensive8. After the survey was conducted, the participant was asked to return two days later to recall their passwords and take another survey.

The statistics derived from M-Turk resembled the statistics discovered from the SIO study, revealing that this method of data collection achieves similar levels of accuracy compared to actual password studies. Cranor’s involvement with M-Turk gathered information not only on the strengths of people’s passwords, but also their usability. The surveys cross-compared the usability and security of different password requirements, finding the most efficient and effective balance between the two. The results showed that basic16 and comprehensive8 balanced the two sectors well compared to the other conditions. From Cranor’s personal findings over the years and preference, however, she states that “12 character passwords with at least two character classes, no keyboard patterns, and some special characters not at the beginning or end” are ideal standards for maximizing security and minimizing discomfort.

When Carnegie Mellon altered their password policies a few years ago, Cranor tuned her focus and research towards passwords. She leads research and teaches a course on “Usable Privacy and Security” opened to both undergraduate and graduate students. Although the study using Carnegie Mellon passwords is complete, Cranor continues to use M-Turk to conduct studies more focused on mobile devices and password strength misconceptions.