Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. Kelley, G, P, Komanduri, S, Mazurek, L, M, Shay, R, Vidas, T, Bauer, L., Christin, N, Cranor, L., Lopez, Security, J, & on, P.&nbsp;S. 2012 I.<nbsp>S. In Security and Privacy (SP), 2012 IEEE Symposium on.
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms [link]Paper  doi  abstract   bibtex   
Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, we analyze 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training sets, (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements, and (d) the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates. Our findings advance understanding of both password-composition policies and metrics for quantifying password security. View full abstract
@inproceedings{ Kelley:km,
  author = {Kelley, P G and Komanduri, S and Mazurek, M L and Shay, R and Vidas, T and Bauer, L. and Christin, N and Cranor, L.F. and Lopez, J Security and Privacy SP 2012 IEEE Symposium on},
  title = {{Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms}},
  booktitle = {Security and Privacy (SP), 2012 IEEE Symposium on},
  keywords = {passwords, HFSP},
  doi = {10.1109/SP.2012.38},
  read = {Yes},
  rating = {0},
  date-added = {2012-11-15T22:13:09GMT},
  date-modified = {2015-01-20T20:19:03GMT},
  abstract = {Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, we analyze 12,000 passwords collected under seven composition policies via an online study. We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training sets, (c) the relationship between passwords explicitly created under a given composition policy and other passwords that happen to meet the same requirements, and (d) the relationship between guess ability, as measured with password-cracking algorithms, and entropy estimates. Our findings advance understanding of both password-composition policies and metrics for quantifying password security. View full abstract},
  url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6234434&contentType=Conference+Publications&matchBoolean%3Dtrue%26rowsPerPage%3D30%26searchField%3DSearch_All%26queryText%3D%28p_Authors%3Akelley+AND+%28p_Authors%3Akomanduri+AND+p_Authors%3Amazurek%29%29},
  local-url = {file://localhost/Users/michelle/Library/Application%20Support/Papers2/Articles/Unknown/Kelley/Security%20and%20Privacy%20(SP)%202012%20IEEE%20Symposium%20on%20%20Kelley.pdf},
  file = {{Security and Privacy (SP) 2012 IEEE Symposium on  Kelley.pdf:/Users/michelle/Library/Application Support/Papers2/Articles/Unknown/Kelley/Security and Privacy (SP) 2012 IEEE Symposium on  Kelley.pdf:application/pdf}},
  uri = {̆rl{papers2://publication/doi/10.1109/SP.2012.38}}
}
Downloads: 0