{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T17:59:17Z","timestamp":1775066357266,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":83,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,5,7]],"date-time":"2016-05-07T00:00:00Z","timestamp":1462579200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nd\/4.0\/"}],"funder":[{"name":"NSF","award":["CNS-1116776"],"award-info":[{"award-number":["CNS-1116776"]}]},{"name":"NSF","award":["DGE-0903659"],"award-info":[{"award-number":["DGE-0903659"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,5,7]]},"DOI":"10.1145\/2858036.2858546","type":"proceedings-article","created":{"date-parts":[[2016,5,5]],"date-time":"2016-05-05T10:08:22Z","timestamp":1462442902000},"page":"3748-3760","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":101,"title":["Do Users' Perceptions of Password Security Match Reality?"],"prefix":"10.1145","author":[{"given":"Blase","family":"Ur","sequence":"first","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jonathan","family":"Bees","sequence":"additional","affiliation":[{"name":"The Pennsylvania State University, State College, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sean M.","family":"Segreti","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lujo","family":"Bauer","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nicolas","family":"Christin","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lorrie Faith","family":"Cranor","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, PA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2016,5,7]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2699026.2699118"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/322796.322806"},{"key":"e_1_3_2_1_3_1","volume-title":"Proc. WEIS.","author":"Asgharpour Farzaneh","unstructured":"Farzaneh Asgharpour, Debin Lu, and L. Jean Camp. 2007. Mental Models of Computer Security Risks. In Proc. WEIS."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664253"},{"key":"e_1_3_2_1_5_1","volume-title":"Ashley Madison: Two women explain how hack changed their lives. BBC http:\/\/www.bbc.co.uk\/news\/technology-34072762. (August 27","author":"Baraniuk Chris","year":"2015","unstructured":"Chris Baraniuk. 2015. Ashley Madison: Two women explain how hack changed their lives. BBC http:\/\/www.bbc.co.uk\/news\/technology-34072762. (August 27, 2015)."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1093\/pan\/mpr057"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.14722\/usec.2015.23003"},{"key":"e_1_3_2_1_8_1","volume-title":"The Gawker hack: How a million passwords were lost. Light Blue Touchpaper Blog. (December","author":"Bonneau Joseph","year":"2010","unstructured":"Joseph Bonneau. 2010. The Gawker hack: How a million passwords were lost. Light Blue Touchpaper Blog. (December 2010). http:\/\/www.lightbluetouchpaper.org\/2010\/12\/15\/thegawker-hack-how-a-million-passwords-were-lost\/."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.49"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35694-0_10"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2699390"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-34638-5_1"},{"key":"e_1_3_2_1_14_1","unstructured":"Jon Brodkin. 2012. 10 (or so) of the worst passwords exposed by the LinkedIn hack. Ars Technica. (June 2012)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1177\/1745691610393980"},{"key":"e_1_3_2_1_16_1","volume-title":"Apple knew of iCloud security hole 6 months before Celebgate. The Daily Dot. (September 24","author":"Cameron Dell","year":"2014","unstructured":"Dell Cameron. 2014. Apple knew of iCloud security hole 6 months before Celebgate. The Daily Dot. (September 24 2014). http:\/\/www.dailydot.com\/technology\/appleicloud-brute-force-attack-march\/."},{"key":"e_1_3_2_1_17_1","unstructured":"Carnegie Mellon University. 2015. Password Guessability Service. https:\/\/pgs.ece.cmu.edu. (2015)."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23357"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23268"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2702123.2702141"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2012.02.008"},{"key":"e_1_3_2_1_22_1","volume-title":"You Can Do Better -- Motivational Statements in Password-Meter Feedback. SOUPS Poster","author":"Eargle David","year":"2015","unstructured":"David Eargle, John Godfrey, Hsin Miao, Scott Stevenson, Richard Shay, Blase Ur, and Lorrie Cranor. 2015. You Can Do Better -- Motivational Statements in Password-Meter Feedback. SOUPS Poster (2015)."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2481329"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501604.2501617"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242661"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.5555\/2717491.2717494"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671262"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.5555\/2755205"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143127"},{"key":"e_1_3_2_1_30_1","unstructured":"Megan Geuss. 2015. Mozilla: data stolen from hacked bug database was used to attack Firefox. Ars Technica http:\/\/arstechnica.com\/security\/2015\/09\/mozilla-data-stolen-from-hacked-bug-databasewas-used-to-attack-firefox\/. (September 4 2015)."},{"key":"e_1_3_2_1_31_1","unstructured":"Jeffrey Goldberg. 2013. Defining Password Strength. In Passwords."},{"key":"e_1_3_2_1_32_1","volume-title":"Why passwords have never been weaker and crackers have never been stronger. Ars Technica. (August","author":"Goodin Dan","year":"2012","unstructured":"Dan Goodin. 2012. Why passwords have never been weaker and crackers have never been stronger. Ars Technica. (August 2012). http:\/\/arstechnica.com\/security\/2012\/08\/passwords-under-assault\/."},{"key":"e_1_3_2_1_33_1","volume-title":"Anatomy of a hack: How crackers ransack passwords like \"qeadzcwrsfxv1331\". Ars Technica. (May","author":"Goodin Dan","year":"2013","unstructured":"Dan Goodin. 2013. Anatomy of a hack: How crackers ransack passwords like \"qeadzcwrsfxv1331\". Ars Technica. (May 2013). http:\/\/arstechnica.com\/security\/2013\/05\/howcrackers-make-minced-meat-out-of-yourpasswords\/."},{"key":"e_1_3_2_1_34_1","unstructured":"Dan Goodin. 2015. Once seen as bulletproof 11 million+ Ashley Madison passwords already cracked. Ars Technica http:\/\/arstechnica.com\/security\/2015\/09\/onceseen-as-bulletproof-11-million-ashley-madisonpasswords-already-cracked\/. (September 10 2015)."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","unstructured":"S.M. Taiabul Haque Matthew Wright and Shannon Scielzo. 2013. A Study of User Password Strategy for Multiple Accounts. In CODASPY. 10.1145\/2435349.2435373","DOI":"10.1145\/2435349.2435373"},{"key":"e_1_3_2_1_36_1","first-page":"8","article-title":"Next Gen PCFG Password Cracking","volume":"10","author":"Houshmand Shiva","year":"2015","unstructured":"Shiva Houshmand, Sudhir Aggarwal, and Randy Flood. 2015. Next Gen PCFG Password Cracking. IEEE TIFS 10, 8 (Aug 2015), 1776-1791.","journal-title":"IEEE TIFS"},{"key":"e_1_3_2_1_37_1","unstructured":"Imperva. 2010. Consumer Password Worst Practices. (2010). http:\/\/www.imperva.com\/docs\/WP_Consumer_Password_Worst_Practices.pdf."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837118"},{"key":"e_1_3_2_1_39_1","volume-title":"Proc. SOUPS.","author":"Ion Iulia","year":"2015","unstructured":"Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. \"...no one can hack my mind\": Comparing Expert and Non-Expert Security Practices. In Proc. SOUPS."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837885.1837906"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/975817.975820"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/2372387.2372397"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.38"},{"key":"e_1_3_2_1_44_1","unstructured":"Saranga Komanduri. 2015. Modeling the adversary to evaluate password strength with limited samples. Ph.D. Dissertation. Carnegie Mellon University."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671263"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143129"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/2671225.2671261"},{"key":"e_1_3_2_1_48_1","volume-title":"International Business Times. (September 2","author":"Love Dylan","year":"2014","unstructured":"Dylan Love. 2014. Apple On iCloud Breach: It's Not Our Fault Hackers Guessed Celebrity Passwords. International Business Times. (September 2 2014). http:\/\/www.ibtimes.com\/apple-icloud-breach-itsnot-our-fault-hackers-guessed-celebritypasswords-1676268."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.50"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2187836.2187878"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516726"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2858036.2858384"},{"key":"e_1_3_2_1_53_1","unstructured":"Randall Munroe. 2012. xkcd: Password strength. https:\/\/www.xkcd.com\/936\/. (2012)."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.5555\/1862758.1862770"},{"key":"e_1_3_2_1_55_1","unstructured":"Alexander Peslyak. 1996-. John the Ripper. http:\/\/www.openwall.com\/john\/. (1996-)."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.5555\/1268708.1268740"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2335356.2335364"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","unstructured":"Joel Ross Lilly Irani M. Six Silberman Andrew Zaldivar and Bill Tomlinson. 2010. Who are the crowdworkers?: Shifting demographics in Mechanical Turk. In CHI Extended Abstracts. 10.1145\/1753846.1753873","DOI":"10.1145\/1753846.1753873"},{"key":"e_1_3_2_1_59_1","volume-title":"http:\/\/www.schneier.com\/blog\/archives\/2009\/08\/password_advice.html. (August","author":"Schneier Bruce","year":"2009","unstructured":"Bruce Schneier. 2009. Password Advice. http:\/\/www.schneier.com\/blog\/archives\/2009\/08\/password_advice.html. (August 2009)."},{"key":"e_1_3_2_1_60_1","volume-title":"Motivating Users to Choose Better Passwords Through Peer Pressure. SOUPS Poster","author":"Sotirakopoulos Andreas","year":"2011","unstructured":"Andreas Sotirakopoulos, Ildar Muslukov, Konstantin Beznosov, Cormac Herley, and Serge Egelman. 2011. Motivating Users to Choose Better Passwords Through Peer Pressure. SOUPS Poster (2011)."},{"key":"e_1_3_2_1_61_1","unstructured":"Jens Steubbe. 2009. Hashcat. http:\/\/hashcat.net\/oclhashcat-plus\/. (2009)."},{"key":"e_1_3_2_1_62_1","volume-title":"Proc. SOUPS.","author":"Stobert Elizabeth","year":"2014","unstructured":"Elizabeth Stobert and Robert Biddle. 2014. The Password Life Cycle: User Behaviour in Managing Passwords. In Proc. SOUPS."},{"key":"e_1_3_2_1_63_1","volume-title":"Proc. Passwords.","author":"Stobert Elizabeth","year":"2015","unstructured":"Elizabeth Stobert and Robert Biddle. 2015. Expert Password Management. In Proc. Passwords."},{"key":"e_1_3_2_1_64_1","unstructured":"Stricture Consulting Group. 2015. Password Audits. http:\/\/stricture-group.com\/services\/passwordaudits.htm. (2015)."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2078827.2078833"},{"key":"e_1_3_2_1_66_1","volume-title":"Sunstein","author":"Thaler Richard H.","year":"2008","unstructured":"Richard H. Thaler and Cass R. Sunstein. 2008. Nudge: Improving decisions about health, wealth, and happiness. Yale University Press."},{"key":"e_1_3_2_1_67_1","volume-title":"eHarmony Password Dump Analysis. (June","author":"Spiderlabs Trustwave","year":"2012","unstructured":"Trustwave Spiderlabs. 2012. eHarmony Password Dump Analysis. (June 2012). http:\/\/blog.spiderlabs.com\/2012\/06\/eharmonypassword-dump-analysis.html."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.5555\/2362793.2362798"},{"key":"e_1_3_2_1_69_1","volume-title":"Poster: The Art of Password Creation. In IEEE Symposium on Security and Privacy (Posters).","author":"Ur Blase","year":"2013","unstructured":"Blase Ur, Saranga Komanduri, Richard Shay, Stephanos Matsumoto, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Michelle L. Mazurek, and Timothy Vidas. 2013. Poster: The Art of Password Creation. In IEEE Symposium on Security and Privacy (Posters)."},{"key":"e_1_3_2_1_70_1","volume-title":"Proc. SOUPS.","author":"Ur Blase","year":"2015","unstructured":"Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015a. \"I Added '!' at the End to Make It Secure\": Observing Password Creation in the Lab. In Proc. SOUPS."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831173"},{"key":"e_1_3_2_1_72_1","volume-title":"Just Make It HackMe.","author":"Vance Ashlee","year":"2010","unstructured":"Ashlee Vance. 2010. If Your Password Is 123456, Just Make It HackMe. NY Times, http:\/\/www.nytimes.com\/2010\/01\/21\/technology\/21password.html. (2010)."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/HICSS.2013.196"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23103"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/2379690.2379702"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-42001-6_18"},{"key":"e_1_3_2_1_77_1","volume-title":"Alexander De Luca, and Heinrich Hussmann","author":"von Zezschwitz Emanuel","year":"2013","unstructured":"Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2013. Survival of the Shortest: A Retrospective Analysis of Influencing Factors on Password Composition. In INTERACT."},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837125"},{"key":"e_1_3_2_1_79_1","unstructured":"Matt Weir. 2009. The RockYou 32 Million Password List Top 100. http:\/\/reusablesec.blogspot.com\/2009\/12\/rockyou-32-million-password-list-top.html. (December 2009)."},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866327"},{"key":"e_1_3_2_1_81_1","unstructured":"Dan Wheeler. 2012. zxcvbn: realistic password strength estimation. https:\/\/blogs.dropbox.com\/tech\/2012\/04\/zxcvbnrealistic-password-strength-estimation\/. (2012)."},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866328"},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/eCRS.2013.6805770"}],"event":{"name":"CHI'16: CHI Conference on Human Factors in Computing Systems","location":"San Jose California USA","acronym":"CHI'16","sponsor":["SIGCHI ACM Special Interest Group on Computer-Human Interaction"]},"container-title":["Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2858036.2858546","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2858036.2858546","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2858036.2858546","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T09:49:12Z","timestamp":1763459352000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2858036.2858546"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,5,7]]},"references-count":83,"alternative-id":["10.1145\/2858036.2858546","10.1145\/2858036"],"URL":"https:\/\/doi.org\/10.1145\/2858036.2858546","relation":{},"subject":[],"published":{"date-parts":[[2016,5,7]]},"assertion":[{"value":"2016-05-07","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}