Abstract

Password-based authentication is the most popular authentication mechanism over insecure networks due its simplicity and convenience. To ensure the security of this authentication mechanism, measuring the strength of users’ passwords becomes a crucial task to guide users to create stronger passwords. However, password strength meters are only helpful if they are accurate. Passwords meters that do not provide accurate scores that reflect the actual passwords strengths, e.g., providing a high score for a weak password, may misinform users and hinder the overall security of password-based authentication mechanisms. While many password strength meters were proposed in the literature, the lack of a standardized method to measure password strengths and comparing the accuracy of different password meters, selecting the most appropriate password meter will remain a difficult and unclear process.
In this paper, we propose and implement a data-driven password meter that scrapes and collects large datasets to be used by the proposed password strength meter to help provide more accurate scores. Also, we measured the influence of the proposed meter at guiding users to create stronger passwords by tracking their eye movements. To do this, we conducted a user study on a testing web service and monitored the eye movements of our users using an eye tracking tool. Our results exhibited a significant improvement by influencing 88% of users to create an average of 150 years for password cracking-time.