Chi-en Amy Tai (University of Waterloo), Urs Hengartner (University of Waterloo), Alexander Wong (University of Waterloo)

Passwords are a ubiquitous form of authentication that is still present for many online services and platforms. Researchers have measured password creation policies for a multitude of websites and studied password creation behaviour for users who speak various languages. Evidence shows that limiting all users to alphanumeric characters and select special characters resulted in weaker passwords for certain demographics. However, password creation policies still concentrate on only alphanumeric characters and focus on increasing the length of passwords rather than the diversity of potential characters in the password. With the recent recommendation towards passphrases, further concerns arise pertaining to the potential consequences of not being inclusive in password creation. Previous work studying multilingual passphrase policies that combined English and African languages showed that multilingual passphrases are more user-friendly and also more difficult to guess than a passphrase based on a single language. However, their work only studied passphrases based on standard alphanumeric characters. In this paper, we measure the password strength of using a multilingual passphrase that contains characters outside of the standard alphanumeric characters and assess the availability of such multilingual passwords for websites with free account creation in the Tranco top 50 list and the Semrush top 20 websites in China list. We find that password strength meters like zxcvbn and MultiPSM surprisingly struggle with correctly assessing the strength of non-English-only passphrases with MultiPSM encountering an encoding issue with non-alphanumeric characters. In addition, we find that half of all tested valid websites accept multilingual passphrases but three websites struggled in general due to imposing a maximum password character limitation.

View More Papers

LLMPirate: LLMs for Black-box Hardware IP Piracy

Vasudev Gohil (Texas A&M University), Matthew DeLorenzo (Texas A&M University), Veera Vishwa Achuta Sai Venkat Nallam (Texas A&M University), Joey See (Texas A&M University), Jeyavijayan Rajendran (Texas A&M University)

Read More

A First Look at Scams on YouTube

Elijah Bouma-Sims, Bradley Reaves (North Carolina State University)

Read More

Attributing Open-Source Contributions is Critical but Difficult: A Systematic...

Jan-Ulrich Holtgrave (CISPA Helmholtz Center for Information Security), Kay Friedrich (CISPA Helmholtz Center for Information Security), Fabian Fischer (CISPA Helmholtz Center for Information Security), Nicolas Huaman (Leibniz University Hannover), Niklas Busch (CISPA Helmholtz Center for Information Security), Jan H. Klemmer (CISPA Helmholtz Center for Information Security), Marcel Fourné (Paderborn University), Oliver Wiese (CISPA Helmholtz Center…

Read More

DorkPot: A Honeypot-based Analysis of Google Dorks

Florian Quinkert, Eduard Leonhardt, Thorsten Holz

Read More