Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, we analyze 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training sets, (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements, and (d) the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates. Our findings advance understanding of both password-composition policies and metrics for quantifying password security.

[1]  James A. Landay,et al.  Utility of human-computer interactions: toward a science of preference measurement , 2011, CHI.

[2]  Lorie M. Liebrock,et al.  Using Fingerprint Authentication to Reduce System Security: An Empirical Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[3]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[4]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[5]  Delbert Hart Attitudes and practices of students towards password security , 2008 .

[6]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[7]  Panagiotis G. Ipeirotis Demographics of Mechanical Turk , 2010 .

[8]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[9]  Joseph Bonneau,et al.  What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions , 2010 .

[10]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[11]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[12]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[13]  Trent Jaeger,et al.  Password Exhaustion: Predicting the End of Password Usefulness , 2006, ICISS.

[14]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[15]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[16]  Elisa Bertino,et al.  Password policy simulation and analysis , 2007, DIM '07.

[17]  Lorrie Faith Cranor,et al.  Human selection of mnemonic phrase-based passwords , 2006, SOUPS '06.

[18]  Lorrie Faith Cranor,et al.  Are your participants gaming the system?: screening mechanical turk workers , 2010, CHI.

[19]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[20]  Elisa Bertino,et al.  A comprehensive simulation tool for the analysis of password policies , 2009, International Journal of Information Security.

[21]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[22]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[23]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[24]  Claude Castelluccia,et al.  Adaptive Password-Strength Meters from Markov Models , 2012, NDSS.

[25]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[26]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[27]  Ray A. Perlner,et al.  Electronic Authentication Guideline , 2014 .

[28]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[29]  Patrick Gage Kelley Conducting Usable Privacy & Security Studies with Amazon ’ s Mechanical Turk , 2010 .

[30]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[31]  Sudhir Aggarmal,et al.  Using probabilistic techniques to aid in password cracking attacks , 2010 .

[32]  Simon Marechal Advances in password cracking , 2007, Journal in Computer Virology.

[33]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[34]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[35]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[36]  Bill Tomlinson,et al.  Who are the crowdworkers?: shifting demographics in mechanical turk , 2010, CHI Extended Abstracts.

[37]  Tom White,et al.  Hadoop: The Definitive Guide , 2009 .

[38]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[39]  Eric R. Verheul,et al.  Selecting Secure Passwords , 2007, CT-RSA.

[40]  M. Angela Sasse,et al.  The true cost of unusable password policies: password use in the wild , 2010, CHI.

[41]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[42]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[43]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[44]  William E. Burr,et al.  Electronic Authentication Guideline | NIST , 2004 .

[45]  Alain Forget,et al.  Multiple password interference in text passwords and click-based graphical passwords , 2009, CCS.

[46]  Dugald Ralph Hutchings,et al.  Order and entropy in picture passwords , 2008, Graphics Interface.