Testing metrics for password creation policies by attacking large sets of revealed passwords

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2010, Pages 162-175

  Weir, Matt ^a   Aggarwal, Sudhir ^a   Collins, Michael ^a   Stern, Henry ^a  

^a FLORIDA STATE UNIVERSITY   (United States)

Author keywords

Cybercrime; Password cracking; Password policies

Indexed keywords

CYBERCRIME; DATA SETS; PASSWORD CRACKING; PASSWORD CREATION; PASSWORD POLICIES; PASSWORD SECURITY; TESTING METRICS;

CHARACTER SETS; COMPUTER CRIME;

CRACKING (CHEMICAL);

EID: 78650022232     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1866307.1866327     Document Type: Conference Paper

References (30)

1. W. Burr, D. Dodson, R. Perlner, W. Polk, S. Gupta, E. Nabbus, "NIST Special Publication 800-63-1 Electronic Authentication Guideline", Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, April, 2006
2. Office of Management and Budget, "Draft Agency Implementation, Guidance for Homeland Security, Presidential Directive 12", August 2004.
3. P. Bowen, A. Johnson, J. Hash, C. Dancy Smith, D. Steinberg, "NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule", Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD.
4. C.E. Shannon, "A Mathematical Theory of Communication", Bell System Technical Journal, vol. 27, pp. 379-423, 623- 656, July, October, 1948.
5. C. Herley, "So Long and No Thanks for the Externalities: The Rationl Rejection of Security Advice by Users." NSPW 09, September 8-11 2009 Oxford, United Kingdom.
6. A. Vance, "If Your Password is 123456 Just Make it HackMe" New York Times, January 20th, 2010. Page A1.
7. E. R. Verheul. "Selecting secure passwords", CT-RSA 2007, Proceedings Volume 4377 of Lecture Notes in Computer Science, pages 49-66. Springer Verlag, Berlin, 2007.
8. J.L. Massey, "Guessing and Entropy," Proc. 1994 IEEE International Symposium on Information Theory, 1995, p.329.
9. The OpenWall Group, [Software] John the Ripper password cracker, [Online Document] [cited 2-19-2010] Available HTTP http://www.openwall.com
10. A list of popular password cracking wordlists, 2005, [Online Document] [cited 2010 January 14] Available HTTP http://www.outpost9.com/files/WordLists. html
11. M. Weir and S. Aggarwal. "Cracking 400,000 Passwords or How to Explain to Your Roommate why the Power-Bill is a Little High", Defcon 17, Las Vegas, NV, August 2009
12. J. Leversund "The Password Meta Policy" [Online Document] [cited 2010 April 16] Available HTTP http://securitynirvana.blogspot.com/2010/ 02/password-metapolicy.html
13. G. Bard, "Spelling-Error Tolerant, Order Independent Pass- Phrases via the Damerau-Levenshtein String-Edit Distance Metric" Fifth Australasian Symposium on ACSW Frontiers - Volume 68 (Ballarat, Australia, January 30 - February 02, 2007), 117-124.
14. A. Forget, S. Chiasson, P.C. van Oorschot, R. Biddle, "Improving Text Passwords through Persuasion." Symposium on Usable Privacy and Security (SOUPS) 2008, July 23-25, 2008, Pittsburgh, PA USA.
15. B. Schneier, "Write Down Your Password", June 17, 2005
16. [Online Document] [cited 2010 April 16] Available HTTP http://www.schneier.com/blog/archives/2005/06/write-down-your.html
17. Various Authors, "Faithwriters.com hacked message posts
18. [Online Document] [cited 2010 April 16] Available HTTP http://forums.crosswalk.com/m-4252083/mpage-1/tm.htm
19. B. Ryan, "The Hacking of the http://db.singles.org" [Online Document] [cited 2010 April 16] Available HTTP http://msmvps.com/blogs/ williamryan/archive/2009/02/22/th e-hacking-of-http-db-singles-org.aspx
20. M. Weir, Sudhir Aggarwal, Breno de Medeiros, Bill Glodek, "Password Cracking Using Probabilistic Context Free Grammars," Proceedings of the 30th IEEE Symposium on Security and Privacy, May 2009.
21. R. Morris and K. Thompson. "Password security: a case history" Communications. ACM, 22(11):594-597, 1979.
22. A. Narayanan and V. Shmatikov, Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff, CCS'05, November 7-11, 2005, Alexandria, Virginia
23. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security and Privacy Magazine, Volume 2, Number 5, pages 25-31, 2004.
24. T. Wu, "A real-world analysis of kerberos password security," in 1999 Network and Distributed System Security Symposium, February 1999.
25. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your botnet is my botnet: Analysis of a botnet takeover," Tech. Rep., April 2009.
26. Sophos, "Security at risk as one third of surfers admit they use the same password for all websites", [Online Document]
27. [cited 2010 July 14] Available HTTP http://www.sophos.com/pressoffice/ news/articles/2009/03/pa ssword-security.html
28. L. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel and T. Jaeger, "Password Exhaustion: Predicting the End of Password Usefulness" ICISS, volume 4332 of Lecture Notes in Computer Science, pages 37-55, 2006.
29. J. Bonneau, S. Preibusch, "The Password Thicket: Technical and Market Failures in Human Authentication on the Web", The Ninth Workshop on the Economics of Information Security, WEIS 2010.
30. K. Zetter, "Weak Password Brings 'Happiness' to Twitter Hacker" [Online Document] [cited 10'0 July 19] Available HTTP http://www.wired.com/ threatlevel/2009/01/professedtwitt/