Unified login with pluggable authentication modules (PAM)
CCS '96 Proceedings of the 3rd ACM conference on Computer and communications security
Power-Law Distributions in Empirical Data
SIAM Review
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Password strength: an empirical analysis
INFOCOM'10 Proceedings of the 29th conference on Information communications
Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
An inequality on guessing and its application to sequential decoding
IEEE Transactions on Information Theory
IEEE Transactions on Information Theory
Optimizing password composition policies
Proceedings of the fourteenth ACM conference on Electronic commerce
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
The distribution of passwords chosen by users has implications for site security, password-handling algorithms and even how users are permitted to select passwords. Using password lists from four different web sites, we investigate if Zipf's law is a good description of the frequency with which passwords are chosen. We use a number of standard statistics, which measure the security of password distributions, to see if modelling the data using a simple distribution is effective. We then consider how much the password distributions from each site have in common, using password cracking as a metric. This shows that these distributions have enough high-frequency passwords in common to provide effective speed-ups for cracking passwords. Finally, as an alternative to a deterministic banned list, we will show how to stochastically shape the distribution of passwords, by occasionally asking users to choose a different password.