Communications of the ACM
Password security: a case history
Communications of the ACM
A note on proactive password checking
Proceedings of the 2001 workshop on New security paradigms
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
Telling humans and computers apart automatically
Communications of the ACM - Information cities
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
Human selection of mnemonic phrase-based passwords
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Investigating the distribution of password choices
Proceedings of the 21st international conference on World Wide Web
Correct horse battery staple: exploring the usability of system-assigned passphrases
Proceedings of the Eighth Symposium on Usable Privacy and Security
How does your password measure up? the effect of strength meters on password creation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
The benefits of understanding passwords
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Journal of Computer and System Sciences
Statistical metrics for individual password strength
SP'12 Proceedings of the 20th international conference on Security Protocols
Does my password go up to eleven?: the impact of password meters on password selection
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
It is a well known fact that user-chosen passwords are somewhat predictable: by using tools such as dictionaries or probabilistic models, attackers and password recovery tools can drastically reduce the number of attempts needed to guess a password. Quite surprisingly, however, existing literature does not provide a satisfying answer to the following question: given a number of guesses, what is the probability that a state-of-the-art attacker will be able to break a password? To answer the former question, we compare and evaluate the effectiveness of currently known attacks using various datasets of known passwords. We find that a "diminishing returns" principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude. Even extremely powerful attackers won't be able to guess a substantial percentage of the passwords. The result of this work will help in evaluating the security of authentication means based on user-chosen passwords, and our methodology for estimating password strength can be used as a basis for creating more effective proactive password checkers for users and security auditing tools for administrators.