Add to collection(s) Add to saved
  1. Social Science
  2. Political Science
  3. Media

slides

advertisement 
Guess again (and again and again):
Measuring password strength by
simulating password-cracking
algorithms
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek,
Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie
Faith Cranor, and Julio Lo ́pez
Carnegie Mellon University
Pittsburgh, PA, USA
Presentation by David Ferreras
The Problem
• How can we tell when a password is secure?
• What requirements make a password stronger
to attacks?
The Problem
• There are many different composition policies
when creating a password:
– Minimum length
– Numbers and Simbols
– Don’t allow words from a dictionary
– Etc.
Which one is better?
The Problem
And, of course, users have to be able to
remember it!!!
Measuring password strength
• 2 most common methods
– Information Entropy
• expected value (in bits) of the information contained in
a string. Provides a lower bound on the expected
number of guesses to find a text.
– Empirically
• Analyze the passwords with password-guessing tools.
Measuring password strength
The method in this paper:
• Collect a dataset of passwords under different
password-composition policies
• Approach how long it would take for various
password-guessing tools to guess each
password collected
Called Guess-number calculator
Test data
• Passwords created on different conditions
–
–
–
–
–
–
–
–
Basic8survey: at least 8 characters in a survey scenario
Basic8: at least 8 characters in a email scenario
Basic16: at least 16 characters
Dictionary8: at least 8 characters and it may not contain a
dictionary word (Openwall list)
Comprehensive8: at least 8 characters including an uppercase
and lowercase letter, a symbol and a digit. It may not contain a
dictionary word (Openwall list)
BlacklistEasy: at least 8 characters and may not contain a
dictionary word (UNIX dictionary)
BlacklistMedium: same as before but with the paid Openwall
list)
blacklistHard: dictionary with 5 billion words
Guess-number calculator
For most password-guessing algorithms, it is
possible to create a function that maps a password
to the number of guesses required to guess it.
It’s build as Machine-Learning algorithm.
The password-guessing algorithms tested are:
• Brute-Force Markov
• Weir algorithms
Results
Results
Conclusions
Best secure requirements
• Basic16: at least 16 characters
• Comprehensive8: at least 8 characters including an
uppercase and lowercase letter, a symbol and a digit.
It may not contain a dictionary word
Any questions?
Related documents
How to start Whitepins - AMAS-Team
How to start Whitepins - AMAS-Team
Slide 1
Slide 1
Password-Based Football
Password-Based Football
Log on to flinders.edu.au/setup 2. Enter your FAN & Password
Log on to flinders.edu.au/setup 2. Enter your FAN & Password
St. Ambrose Information Resources
St. Ambrose Information Resources
File
File
N@tschool
N@tschool
Dictionary Skills 3rd grade
Dictionary Skills 3rd grade
Completed Assignment
Completed Assignment
word document
word document
Worksheet
Worksheet
Password Recovery with PRTK /DNA - Zenk
Password Recovery with PRTK /DNA - Zenk
Password Recovery Toolkit Overview
Password Recovery Toolkit Overview
Download
advertisement