Correct horse battery staple: exploring the usability of system-assigned passphrases
Proceedings of the Eighth Symposium on Usable Privacy and Security
How does your password measure up? the effect of strength meters on password creation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Effect of grammar on security of long passwords
Proceedings of the third ACM conference on Data and application security and privacy
On the ecological validity of a password study
Proceedings of the Ninth Symposium on Usable Privacy and Security
Honeywords: making password-cracking detectable
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Measuring password guessability for an entire university
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
SAuth: protecting user accounts from password database leaks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Pitfalls in the automated strengthening of passwords
Proceedings of the 29th Annual Computer Security Applications Conference
Revisiting graphical passwords for augmenting, not replacing, text passwords
Proceedings of the 29th Annual Computer Security Applications Conference
On the security of picture gesture authentication
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, we analyze 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training sets, (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements, and (d) the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates. Our findings advance understanding of both password-composition policies and metrics for quantifying password security.