Improving Users' Passwords with DPAR: a Data-driven Password Recommendation System

TL;DR

DPAR is a data-driven password recommendation system that enhances password strength by suggesting subtle modifications, maintaining memorability, and proven effective through user studies and experiments.

Contribution

Introduces DPAR, a novel password recommendation system leveraging leaked password datasets to improve strength without compromising memorability.

Findings

Password strength increased by 34.8 bits on average.

36.6% of users accepted recommendations verbatim.

No significant impact on password recall ability.

Abstract

Passwords are the primary authentication method online, but even with password policies and meters, users still find it hard to create strong and memorable passwords. In this paper, we propose DPAR: a Data-driven PAssword Recommendation system based on a dataset of 905 million leaked passwords. DPAR generates password recommendations by analyzing the user's given password and suggesting specific tweaks that would make it stronger while still keeping it memorable and similar to the original password. We conducted two studies to evaluate our approach: verifying the memorability of generated passwords (n=317), and evaluating the strength and recall of DPAR recommendations against password meters (n=441). In a randomized experiment, we show that DPAR increased password strength by 34.8 bits on average and did not significantly affect the ability to recall their password. Furthermore, 36.6% of users accepted DPAR's recommendations verbatim. We discuss our findings and their implications for enhancing password management with recommendation systems.