Password cracking: a game of wits
Communications of the ACM
On the power of unique 2-prover 1-round games
STOC '02 Proceedings of the thiry-fourth annual ACM symposium on Theory of computing
On the Incomparability of Entropy and Marginal Guesswork in Brute-Force Attacks
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
An improved data stream summary: the count-min sketch and its applications
Journal of Algorithms
Algorithmic construction of sets for k-restrictions
ACM Transactions on Algorithms (TALG)
Vertex cover might be hard to approximate to within 2-ε
Journal of Computer and System Sciences
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
Subexponential Algorithms for Unique Games and Related Problems
FOCS '10 Proceedings of the 2010 IEEE 51st Annual Symposium on Foundations of Computer Science
Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Password exhaustion: predicting the end of password usefulness
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Investigating the distribution of password choices
Proceedings of the 21st international conference on World Wide Web
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
A password composition policy restricts the space of allowable passwords to eliminate weak passwords that are vulnerable to statistical guessing attacks. Usability studies have demonstrated that existing password composition policies can sometimes result in weaker password distributions; hence a more principled approach is needed. We introduce the first theoretical model for optimizing password composition policies. We study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords. Our main positive result is an algorithm that -- with high probability --- constructs almost optimal policies (which are specified as a union of subsets of allowed passwords), and requires only a small number of samples of users' preferred passwords. We complement our theoretical results with simulations using a real-world dataset of 32 million passwords.