Communications of the ACM
Password security: a case history
Communications of the ACM
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
InfoSecCD '06 Proceedings of the 3rd annual conference on Information security curriculum development
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Helping users create better passwords: is this the right approach?
Proceedings of the 3rd symposium on Usable privacy and security
Memorability of persuasive passwords
CHI '08 Extended Abstracts on Human Factors in Computing Systems
Improving text passwords through persuasion
Proceedings of the 4th symposium on Usable privacy and security
Persuasion for Stronger Passwords: Motivation and Pilot Study
PERSUASIVE '08 Proceedings of the 3rd international conference on Persuasive Technology
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
A comprehensive simulation tool for the analysis of password policies
International Journal of Information Security
The true cost of unusable password policies: password use in the wild
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Encountering stronger password requirements: user attitudes and behaviors
Proceedings of the Sixth Symposium on Usable Privacy and Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
Password Entropy and Password Quality
NSS '10 Proceedings of the 2010 Fourth International Conference on Network and System Security
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
How does your password measure up? the effect of strength meters on password creation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Building better passwords using probabilistic techniques
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
Passwords are the most common form of authentication for computer systems, and with good reason: they are simple, intuitive and require no extra device for their use. Unfortunately, users often choose weak passwords that are easy to guess. Various methods of helping users select strong passwords have been deployed, often in the form of requirements for the minimum length and number of character classes to use. Alternatively, a site could modify a user's password in order to make it more secure; strengthening algorithms have been proposed that extend/modify a user-supplied password until achieving sufficient strength. Researchers have suggested that it may be possible to balance password strength with memorability by limiting automated changes to one or two characters while evaluating the generated passwords' strength against known cracking algorithms. This paper shows that passwords that were strengthened against the best known cracking algorithms are still susceptible to attack, provided the adversary knows the strengthening algorithm. We propose two attacks: (1) by strengthening the data sets with the known algorithm, which increases the percentage of recovered passwords by a factor of 2-5, and (2) by a brute-force attack on the initial passwords and space of possible changes, recovering all passwords produced when a sufficiently weak initial password was suggested. As a result, we find that the proposed strengthening algorithms do not yet satisfy Kerckhoffs's principle.