Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 523-537

  Kelley, Patrick Gage ^a   Komanduri, Saranga ^a   Mazurek, Michelle L ^a   Shay, Richard ^a   Vidas, Timothy ^a   Bauer, Lujo ^a   Christin, Nicolas ^a   Cranor, Lorrie Faith ^a   López, Julio ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

authentication; passwords; user study

Indexed keywords

CRACKS; HEURISTIC ALGORITHMS; HEURISTIC METHODS; NETWORK SECURITY;

AUTHENTICATION METHODS; CONDITION; DISTRIBUTED METHODS; ONLINE STUDIES; PASSWORD; PASSWORD COMPOSITION POLICIES; PASSWORD CRACKING; PASSWORD GUESSING; PASSWORD STRENGTH; USER STUDY;

AUTHENTICATION;

EID: 84865012140     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.38     Document Type: Conference Paper

References (51)

1. D. Florêncio and C. Herley, "A large-scale study of web password habits," in Proc. WWW'07, 2007.
2. M. Dell'Amico, P. Michiardi, and Y. Roudier, "Password strength: An empirical analysis," in Proc. INFOCOM 2010, 2010.
3. M. Bishop and D. V. Klein, "Improving system security via proactive password checking," Computers & Security, vol. 14, no. 3, pp. 233-249, 1995.
4. L. Constantin, "Sony stresses that PSN passwords were hashed," http://news.softpedia.com/news/Sony-Stresses-PSN-Passwords-Were-Hashed-198218. shtml, May 2011.
5. P. Bright, "Anonymous speaks: The inside story of the HBGary hack," http://arst.ch/q6g, February 2011.
6. J. Bonneau, "The Gawker hack: how a million passwords were lost," Dec. 2010, http://www.lightbluetouchpaper.org/2010/12/15/the-gawker- hack-how-a-million-passwords-were-lost/.
7. P. Bright, "'Military meltdown Monday': 90k military usernames, hashes released," http://arstechnica.com/tech-policy/news/2011/07/military- meltdown-monday-90k-military-usernames-hashes-released.ars, 2011.
8. S. Gaw and E. W. Felten, "Password management strategies for online accounts," in Proc. SOUPS, 2006.
9. R. Shay, S. Komanduri, P. Kelley, P. Leon, M. Mazurek, L. Bauer, N. Christin, and L. Cranor, "Encountering stronger password requirements: user attitudes and behaviors," in Proc. SOUPS '10, 2010.
10. L. St. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel, and T. Jaeger, "Password exhaustion: Predicting the end of password usefulness," in Proc. ICISS, 2006.
11. W. E. Burr, D. F. Dodson, and W. T. Polk, "Electronic authentication guideline," NIST, Tech. Rep., 2006.
12. R. W. Proctor, M.-C. Lien, K.-P. L. Vu, E. E. Schultz, and G. Salvendy, "Improving computer security for authentication of users: Influence of proactive password restrictions," Behavior Res. Methods, Instruments, & Computers, vol. 34, no. 2, pp. 163-169, 2002.
13. M. Weir, S. Aggarwal, M. Collins, and H. Stern, "Testing metrics for password creation policies by attacking large sets of revealed passwords," in Proc. CCS, 2010.
14. J. Ross, L. Irani, M. S. Silberman, A. Zaldivar, and B. Tomlinson, "Who are the crowdworkers? Shifting demographics in Mechanical Turk," in Proc. CHI EA, 2010.
15. P. G. Ipeirotis, "Demographics of Mechanical Turk," New York University, Tech. Rep. CeDER-10-01, 2010.
16. M. Buhrmester, T. Kwang, and S. D. Gosling, "Amazon's Mechanical Turk: A new source of inexpensive, yet high-quality, data?" Perspectives on Psychological Science, vol. 6, no. 1, pp. 3-5, 2011.
17. J. S. Downs, M. B. Holbrook, S. Sheng, and L. F. Cranor, "Are your participants gaming the system? Screening Mechanical Turk workers," in Proc. CHI, 2010.
18. A. Kittur, E. H. Chi, and B. Suh, "Crowdsourcing user studies with Mechanical Turk," in Proc. CHI, 2008.
19. M. Toomim, T. Kriplean, C. Pörtner, and J. Landay, "Utility of human-computer interactions: toward a science of preference measurement," in Proc. CHI, 2011.
20. S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, "Multiple password interference in text passwords and click-based graphical passwords," in Proc. CCS, 2009.
21. C. Kuo, S. Romanosky, and L. F. Cranor, "Human selection of mnemonic phrase-based passwords," in Proc. SOUPS, 2006.
22. H. Wimberly and L. M. Liebrock, "Using fingerprint authentication to reduce system security: An empirical study," in Proc. IEEE Symposium on Security and Privacy, 2011.
23. D. Davis, F. Monrose, and M. K. Reiter, "On user choice in graphical password schemes," in Proc. USENIX Security Symposium, 2004.
24. A. Vance, "If your password is 123456, just make it hackme," New York Times, http://nyti.ms/w8NNwD, January 2010.
25. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek, "Password cracking using probabilistic context-free grammars," in Proc. IEEE Symposium on Security and Privacy, 2009.
26. D. Hart, "Attitudes and practices of students towards password security," Journal of Computing Sciences in Colleges, vol. 23, no. 5, pp. 169-174, 2008.
27. A. Narayanan and V. Shmatikov, "Fast dictionary attacks on passwords using time-space tradeoff," in Proc. CCS, 2005.
28. M. Zviran and W. J. Haga, "Password security: an empirical study," J. Mgt. Info. Sys., vol. 15, no. 4, 1999.
29. S. Komanduri and D. R. Hutchings, "Order and entropy in picture passwords," in Graphics Interface, 2008.
30. J. Bonneau, M. Just, and G. Matthews, "What's in a name? Evaluating statistical attacks on personal knowledge questions," in Proc. Financial Crypto. 2010, 2010.
31. Y. Zhang, F. Monrose, and M. K. Reiter, "The security of modern password expiration: an algorithmic framework and empirical analysis," in Proc. CCS, 2010.
32. K.-P. L. Vu, R. W. Proctor, A. Bhargav-Spantzel, B.-L. B. Tai, and J. Cook, "Improving password security and memorability to protect personal and organizational information," Int. J. of Human-Comp. Studies, vol. 65, no. 8, pp. 744-757, 2007. (Pubitemid 46824074)
33. A. Adams, M. A. Sasse, and P. Lunt, "Making passwords secure and usable," in HCI 97, 1997.
34. P. Inglesant and M. A. Sasse, "The true cost of unusable password policies: password use in the wild," in Proc. ACM CHI'10, 2010, pp. 383-392.
35. R. Shay, A. Bhargav-Spantzel, and E. Bertino, "Password policy simulation and analysis," in ACM workshop on Digital identity management, 2007, pp. 1-10.
36. R. Shay and E. Bertino, "A comprehensive simulation tool for the analysis of password policies," Int. J. Info. Sec., vol. 8, no. 4, pp. 275-289, 2009.
37. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, "Analysis of end user security behaviors," Comp. & Security, vol. 24, no. 2, pp. 124 -133, 2005.
38. D. Florêncio and C. Herley, "Where do security policies come from?" in Proc. SOUPS '10, 2010.
39. S. Schechter, C. Herley, and M. Mitzenmacher, "Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks," in Proc. HotSec'10, 2010.
40. C. E. Shannon, "A mathematical theory of communication," Bell Syst. Tech. J., vol. 27, pp. 379-423, 1949.
41. J. L. Massey, "Guessing and entropy," in Proc. IEEE Int. Symp. Info. Theory, 1994, p. 204.
42. C. Castelluccia, M. Dürmuth, and D. Perito, "Adaptive Password-Strength meters from markov models," in Proc. NDSS 2012, 2012.
43. S. Marechal, "Advances in password cracking," Journal in Computer Virology, vol. 4, no. 1, pp. 73-81, 2008.
44. C. M. Weir, "Using probabilistic techniques to aid in password cracking attacks," Ph.D. dissertation, 2010.
45. S. Designer, "John the Ripper," http://www.openwall.com/john/, 1996-2010.
46. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman, "Of passwords and people: Measuring the effect of password-composition policies," in Proc. CHI, 2011.
47. B. Schneier, "Myspace passwords aren't so dumb," http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300, December 2006.
48. T. White, Hadoop: The Definitive Guide, 2nd ed. O'Reilly, September 2010.
49. J. Dean and S. Ghemawat, "MapReduce: Simplified data processing on large clusters," in Proc. OSDI, 2004.
50. C. E. Shannon, "Prediction and entropy of printed english," Bell Systems Tech. J., vol. 30, 1951.
51. E. Verheul, "Selecting secure passwords," in Topics in Cryptology-CT-RSA 2007, 2006.