We are happy to share a new pre-print, titled “Improving Users’ Passwords with DPAR: a Data-driven Password Recommendation System” now available on Arxiv. The paper is based on the thesis work by Assaf Morag, and was done in collaboration with Liron David and Avishai Wool.

Passwords remain very important to security, but creating strong and memorable passwords is a challenge for many users. Password policies and password meters famously result in weaker passwords.

DPAR takes a recommender-system approach: it suggests small modifications to the user’s existing password. DPAR leverages a massive dataset of 905 million leaked passwords to offer personalized password recommendations. By analyzing a user’s initial password, DPAR suggests specific tweaks to enhance its strength without compromising its memorability. This approach ensures that the recommended passwords are similar to the original ones, making them easier for users to remember.

To assess the effectiveness of DPAR, we conducted two comprehensive studies:

  1. Memorability Study (n=317): This study focused on verifying whether the passwords generated by DPAR are easy to remember.
  2. Strength and Recall Study (n=441): In this randomized experiment, we compared the strength and recall of DPAR-generated passwords against those evaluated by traditional password meters.

Our findings show that:

  • Increased Strength: DPAR recommendations increased password strength by an average of 34.8 bits.
  • Memorability: The ability to recall passwords was not significantly affected by the strength improvements.
  • User Acceptance: 36.6% of users accepted DPAR’s recommendations without modification.

The findings from our studies suggest that password recommendations can play a crucial role in enhancing password management practices. By providing tailored, data-driven recommendations, DPAR helps users create stronger passwords without the common trade-off of reduced memorability. This advancement has the potential to significantly improve online security by empowering users with better tools for password creation.