Testing metrics for password creation policies by attacking large sets of revealed passwords

Authors:
Matt Weir;Sudhir Aggarwal;Michael Collins;Henry Stern
Affiliations:
Florida State University, Tallahassee, FL, USA;Florida State University, Tallahassee, FL, USA;Redjack LLC, Washington D.C., DC, USA;Cisco IronPort Systems, San Bruno, CA, USA
Venue:
Proceedings of the 17th ACM conference on Computer and communications security
Year:
2010

Citing 9
Cited 23

Password security: a case history

Communications of the ACM
Password Memorability and Security: Empirical Results

IEEE Security and Privacy
Fast dictionary attacks on passwords using time-space tradeoff

Proceedings of the 12th ACM conference on Computer and communications security
Spelling-error tolerant, order-independent pass-phrases via the damerau-levenshtein string-edit distance metric

ACSW '07 Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68
Improving text passwords through persuasion

Proceedings of the 4th symposium on Usable privacy and security
Password Cracking Using Probabilistic Context-Free Grammars

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
So long, and no thanks for the externalities: the rational rejection of security advice by users

NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Password exhaustion: predicting the end of password usefulness

ICISS'06 Proceedings of the Second international conference on Information Systems Security
Selecting secure passwords

CT-RSA'07 Proceedings of the 7th Cryptographers' track at the RSA conference on Topics in Cryptology

Attack on the GridCode one-time password

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Of passwords and people: measuring the effect of password-composition policies

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Using global knowledge of users' typing traits to attack keystroke biometrics templates

Proceedings of the thirteenth ACM multimedia workshop on Multimedia and security
A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Proceedings of the 2011 workshop on New security paradigms workshop
Correct horse battery staple: exploring the usability of system-assigned passphrases

Proceedings of the Eighth Symposium on Usable Privacy and Security
Distinguishing users with capacitive touch communication

Proceedings of the 18th annual international conference on Mobile computing and networking
How does your password measure up? the effect of strength meters on password creation

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Learning from early attempts to measure information security performance

CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
The benefits of understanding passwords

HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Visualizing semantics in passwords: the role of dates

Proceedings of the Ninth International Symposium on Visualization for Cyber Security
Video-passwords: advertising while authenticating

Proceedings of the 2012 workshop on New security paradigms
Building better passwords using probabilistic techniques

Proceedings of the 28th Annual Computer Security Applications Conference
It's not stealing if you need it: a panel on the ethics of performing research using public data of illicit origin

FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
Statistical metrics for individual password strength

SP'12 Proceedings of the 20th international conference on Security Protocols
Does my password go up to eleven?: the impact of password meters on password selection

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Optimizing password composition policies

Proceedings of the fourteenth ACM conference on Electronic commerce
On the ecological validity of a password study

Proceedings of the Ninth Symposium on Usable Privacy and Security
Usability and security evaluation of GeoPass: a geographic location-password scheme

Proceedings of the Ninth Symposium on Usable Privacy and Security
Measuring password guessability for an entire university

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Passwords and interfaces: towards creating stronger passwords by using mobile phone handsets

Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
Examining a Large Keystroke Biometrics Dataset for Statistical-Attack Openings

ACM Transactions on Information and System Security (TISSEC)
Pitfalls in the automated strengthening of passwords

Proceedings of the 29th Annual Computer Security Applications Conference
Useful password hashing: how to waste computing cycles with style

Proceedings of the 2013 workshop on New security paradigms workshop

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.