Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms
Top Cited Papers
Open Access
- 1 May 2012
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 523-537
- https://doi.org/10.1109/sp.2012.38
Abstract
Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, we analyze 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training sets, (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements, and (d) the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates. Our findings advance understanding of both password-composition policies and metrics for quantifying password security.Keywords
This publication has 32 references indexed in Scilit:
- Using Fingerprint Authentication to Reduce System Security: An Empirical StudyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- Where do security policies come from?Published by Association for Computing Machinery (ACM) ,2010
- The true cost of unusable password policiesPublished by Association for Computing Machinery (ACM) ,2010
- A comprehensive simulation tool for the analysis of password policiesInternational Journal of Information Security, 2009
- Password policy simulation and analysisPublished by Association for Computing Machinery (ACM) ,2007
- Advances in password crackingJournal of Computer Virology and Hacking Techniques, 2007
- Analysis of end user security behaviorsComputers & Security, 2004
- Guessing and entropyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Making Passwords Secure and UsablePublished by Springer Science and Business Media LLC ,1997
- A Mathematical Theory of CommunicationBell System Technical Journal, 1948