Hierarchy of users׳ web passwords: Perceptions, practices and susceptibilities

• Published in: International journal of human-computer studies Vol. 72; no. 12; pp. 860 - 874
• Main Authors: Taiabul Haque, S.M., Wright, Matthew, Scielzo, Shannon
• Format: Journal Article
• Language: English
• Published: Oxford Elsevier Ltd 01.12.2014; Elsevier
• Subjects: Applied sciences; Computer science; control theory; systems; Computer systems and distributed systems. User interface; Exact sciences and technology; Memory and file management (including protection and security); Memory organisation. Data processing; Password; Security; Software; Survey; Usability; Survey; Security; Usability; Password; Access control; Dictionaries; User centred design; Leak; Banking; World wide web; Internet; Web site; Computer security; Computer attack
• ISSN: 1071-5819; 1095-9300
• DOI: 10.1016/j.ijhcs.2014.07.007

In this study, we propose a hierarchy of password importance, and we use an experiment to examine the degree of similarity between passwords for lower-level (e.g. news portal) and higher-level (e.g. banking) websites in this hierarchy. We asked subjects to construct passwords for websites at both levels. Leveraging the lower-level passwords along with a dictionary attack, we successfully cracked almost one-third of the subjects׳ higher-level passwords. In a survey, subjects reported frequently reusing higher-level passwords, with or without modifications, as well as using a similar process to construct both levels of passwords. We thus conclude that unsafely shared or leaked lower-level passwords can be used by attackers to crack higher-level passwords. •We propose and verify a theoretical model of a hierarchy of users׳ passwords.•We examine the degree of similarity between lower-level and higher-level passwords.•Semantic similarity is more commonly used than syntactic similarity.•We crack one-third of users׳ higher-level passwords by leveraging lower-level ones.•Our findings highlight the indirect consequences of password sharing.