Password Policies and Their Effect on UserCreated Passwords
Will Gossard, Scott Bryant, Alex Sperr
Institution: University of Maryland, Baltimore County
Introduction
Results
● The main goal of this project was to conduct a statistical analysis of multiple
leaked and cracked password databases with respect to their password policies.
● Passwords are a weak security system and these policies are used in an attempt
to make the passwords more ‘secure’.
The Pipal analysis yielded many facets of statistical and grammatical analysis for the databases.
These included: frequency of base words, distribution of the length of the password, the common
number sequences and character sets, possible references to dates, area codes and zip codes,
character set ordering, and hashcat masks. The length distribution, a word cloud of the common
base words, and the character sets of each database are shown below.
Password Length
● It is not the password system that causes problems to the security of the system;
it is the user.
Background and Previous Research
● The field of passwords and their security is both large and varied. Because of this, the
amount of previous research done on this topic is staggering. Some of this research
include:
Campbell, et.al.[4]
Work on the human psychology behind password choices
Blocki, et.al.[8]
Algorithm that selects the optimal password policy based on user prefered passwords
Weir, et.al.[10]
Character Sets
Analysis of password metrics
Shay and Bertino[14]
Base-Word Word Cloud
Simulating user password creation under different policies
RockYou
● We had to closely examine previous work to ensure that this project and its
methodology has not already been completed prior to our research. We concluded,
after an extensive literature review, that no previous research project had analyzed
several real-world password databases to determine the effect that the various
password policies have on the security of the passwords.
Facebook
Hotmail
Database
Policy
Size(Passwords)
Year
Facebook
Minimum 6 chars
18779
2012
Yahoo Voice
No minimum, Max 32 chars
442835
2012
RockYou
Minimum 5 chars, no
special chars
14344313
2009-12
Minimum of 6 Chars
8930
Hotmail
Yahoo Voice
Conclusions
●
●
The differences in the policies had a minimal impact on
the security of the passwords.
○ Cracking times were, on average, the same
○ Lengths were always near the minimum required
○ The exception to this was Yahoo Voice.
●
According to its password policy, it did not
have a minimum password length, but,
interestingly, it had a higher average password
length when compared to the other databases.
Stricter policies ≠ More security
○ Users tend to pick the most memorable password
[1,2]
○ Adversaries will adapt and take advantage of this
Eventually need a replacement system
○ The replacement needs to not rely on human
memorization
The resulting data from each database consisted of
an analyzed and parsed form of the databases, and a
file of the randomly selected cracked and uncracked
password hashes.
The cracking results for each databases varied by a
large margin. A large percentage of passwords from
each databases were cracked within the allotted hour or
just over an hour. The remaining passwords were not
cracked in the time allotted, and , even in some cases,
when left to run for a longer period of time (i.e. upto
12 hours)
●
●
Facebook
Yahoo
Voice
Only lowercase
alpha
3716
(41.61%)
3726656
(25.98%)
4837
(25.76%)
146512
(33.09%)
Only alpha
3913
(43.82%)
3956549
(27.58%)
4942
(26.32%)
148288
(33.49%)
Only numeric
1654
(18.52%)
2346842
(16.36%)
6455
(34.37%)
26095
(5.89%)
Yahoo Voice
6
1823
(20.41%)
1947848
(13.58%)
5656
(30.12%)
79626
(17.98%)
7
1306
(14.62%)
2506256
(17.47%)
2651
(14.12%)
65609
(14.82%)
8
1769
(19.81%)
2965991
(20.68%)
2834
(15.09%)
119133
(26.9%)
9
1098
(12.3%)
2190993
(15.27%)
1769
(9.42%)
65963
(14.9%)
10
773 (8.66%)
2013686
(14.04%)
2027
(10.79%)
54757
(12.37%)
Figure 1.2: Number of passwords with the accompanying
percentages for the corresponding lengths
Reliability of news sources
○ Are we sure of the policies?
Reliability of the source of the leaked databases
○ How are we sure that these are the correct
databases?
Unfortunately, unable to confirm either without actually
communicating with the administrators of the websites
Future Work
●
●
●
Figure 1.1: This figure depicts the password policies of their
respective databases.
Data
●
●
Rockyou
Facebook
Possible Sources of
Error
2011
Hotmail
Rockyou
On a cursory observation of the most common base words, it is
apparent that the demographics and culture of the people creating
the passwords greatly influences password choices. For example,
the use of the words ‘diciembre’ and ‘abril’ in the Hotmail database
strongly suggest a Spanish speaking user base. An attacker with
this knowledge can tailor their attack to try the lexicon of the specific
user base.
●
Character
length
Hotmail
Number of passwords in each database with corresponding:
only lowercase alpha in password, only alpha in password, and
only numeric in password. The format being ‘total number(total
%)’.
Methods
● Obtain password databases and corresponding policies.
○ These include: Facebook, Yahoo Voice, RockYou and Hotmail
● Grammatical and statistical analysis
○ Used Pipal, an open-source password database analyzer
● Testing the security of the passwords via an open-source password hash
cracker ‘John the Ripper’.
○ Randomly selected 100 passwords from each database
○ Hashed the passwords using the md5 algorithm
○ Recorded the time to crack each password with a cutoff
for most of the passwords at 1 hour
Database:
Allow the password hash cracker more time to crack the
password hashes.
○ Or obtain a more powerful computer
Implement our secondary plan
○ User study
Process more databases with more policies
Examine average entropy against either the entire
database or a random sample
Bibliography
[1] Abe Singer, Warren Anderson, Rik Farrow. “Rethinking Password Policies”. August 2013. https://www.usenix.org/sites/default/files/rethinking_password_policies_unabridged.pdf
[2] Ashwini Rao, Birendra Jha, Gananand Kini. “Effect of Grammar on Security of Long Passwords”. 3rd ACM Conference on Data and Application Security and Privacy (CODASPY'13), San
Antonio, Texas, Feb. 2013
[3] Bonneau, Joseph, (2011), University of Cambridge. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 million passwords.” Retrieved web. 21 Feb. 2014. http://www.jbonneau.
com/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf
[4] Campbell J. et.al. (2010). “Impact of Restrictiveness Composition Policy on User Password Choices”. Vol. 30 issue 3, p379-388; retrieved from: http://web.b.ebscohost.com.proxy-bc.
researchport.umd.edu/ehost/pdfviewer/pdfviewer?sid=0b727b22-c98e-4864-8a57-4507c5137a6d%40sessionmgr114&vid=10&hid=118
[5] Cazier, J. A. & Medlin, B. D. (2006). “How Secure is Your Password? An Analysis of E-Commerce
Passwords”.Journal of Information Systems Security, 2 (3), 68-81.
[6] Dell'Amico, M. & Michiardi P. & Roudier Y. “Password strength: an empirical analysis”, Proceedings of the 29th conference on Information communications, p.983-991, March 14-19, 2010, San
Diego, California, USA
[7] Department of Defense (1965). “Password Management Guideline” Retrieved web. 21 Feb. 2014. http://www.fas.org/irp/nsa/rainbow/std002.htm
[8] Jeremiah Blocki, Saranga Komanduri, Ariel Procaccia, and Or Sheffet. (2013). “Optimizing password composition policies”. In Proceedings of the fourteenth ACM conference on Electronic
commerce (EC '13). ACM, New York, NY, USA, 105-122. DOI=10.1145/2482540.2482552 http://doi.acm.org.proxy-bc.researchport.umd.edu/10.1145/2482540.2482552
[9] Kacherginsky, P. (2013) "Automatic Password Rule Analysis and Generation." thesprawl.org. Retrieved web. 3 Feb. 2014. http://thesprawl.org/research/automatic-password-rule-analysisgeneration/.
[10] Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. (2010). “Testing metrics for password creation policies by attacking large sets of revealed passwords”. In Proceedings of the
17th ACM conference on Computer and communications security (CCS '10). ACM, New York, NY, USA, 162-175. DOI=10.1145/1866307.1866327 http://doi.acm.org.proxy-bc.researchport.umd.
edu/10.1145/1866307.1866327
[11] Mazurek, M. , et.al. (2013), Carnegie Mellon University. “Measuring Password Gussability for an Entire University. Retrieved web . 19 Feb. 2014. https://www.cylab.cmu.
edu/files/pdfs/tech_reports/CMUCyLab13013.pdf
[12] NIST Special Publication 800-63-2. Aug 2013. “Electronic Authentication Guideline”. Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
[13] Philip G. Inglesant and M. Angela Sasse. (2010). “The true cost of unusable password policies: password use in the wild”. In Proceedings of the SIGCHI Conference on Human Factors in
Computing Systems (CHI '10). ACM, New York, NY, USA, 383-392. DOI=10.1145/1753326.1753384 http://doi.acm.org.proxy-bc.researchport.umd.edu/10.1145/1753326.1753384
[14] Shay, Richard; Bertino, Elisa .(2009). “A comprehensive simulation tool for the analysis of password policies” Vol. 8 Issue 4, p275-289; retrieved from: http://web.a.ebscohost.
com/ehost/pdfviewer/pdfviewer?sid=2c196a6f-b6a7-430f-b3f9-095186691a72%40sessionmgr4001&vid=2&hid=4214
[15] Wood, Robin. “Pipal, Password Analyser” Retrieved from: http://www.digininja.org/projects/pipal.php
[16] Openwall. “John the Ripper password cracker” Retrieved from http://www.openwall.com/john/
Acknowledgements
We would like to acknowledge Dr. Alan Sherman for his criticism and
help in this project, as well as, the people at Purdue, the NSA and
AIS who without their cooperation and encouragement, this class and
this project would not exist.
Contact Information
Will Gossard <goss2@umbc.edu>, UMBC Undergraduate Major: Comp Sci
Scott Bryant <scott17@umbc.edu>, UMBC Undergraduate Major: Comp Sci
Alex Sperr <sperr1@umbc.edu>, UMBC Undergraduate Major: Comp Sci