Adaptive Password-Strength Meters from Markov Models

19th Annual Network and Distributed System Security Symposium, NDSS 2012

Volumn , Issue , 2012, Pages

  Castelluccia, Claude ^a   Dürmuth, Markus ^b   Perito, Daniele ^a  

^a INRIA   (France)

^b RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

MARKOV PROCESSES;

'CURRENT; MARKOV MODELING; PASSWORD STRENGTH; PASSWORD-BASED AUTHENTICATION; SECURE IMPLEMENTATION; SIMPLE++;

AUTHENTICATION;

EID: 84959406256     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (33)

1. J. Adell, A. Lekuona, and Y. Yu. Sharp bounds on the entropy of the poisson law and related quantities. Information Theory, IEEE Transactions on, 56(5):2299-2306, 2010.
2. M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233-249, 1995.
3. L. D. Brown, T. T. Cai, and A. DasGupta. Interval estimation for a binomial proportion. Statistical Science, 16(2):101-133, 2001.
4. W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline: NIST special publication 800-63, 2006.
5. J. A. Cazier and D. B. Medlin. Password security: An empirical investigation into e-commerce passwords and their crack times. Information Security Journal: A Global Perspective, 15(6):45-55, 2006.
6. M. Dell'Amico, M. Pietro, and Y. Roudier. Password strength: An empirical analysis. In INFOCOM '10: Proceedings of 29th Conference on Computer Communications. IEEE, 2010.
7. D. Florencio and C. Herley. A large-scale study of web password habits. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 657-666. ACM, 2007.
8. D. Florêncio, C. Herley, and B. Coskun. Do strong web passwords accomplish anything? In Proceedings of the 2nd USENIX workshop on Hot topics in security, Berkeley, CA, USA, 2007. USENIX Association.
9. C. Herley. So long and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New security paradigms, pages 133-144. ACM, 2009.
10. A. Kerckhoffs. La cryptographie militaire. Journal des sciences militaires, IX:5-38, January 1883.
11. D. V. Klein. Foiling the cracker: A survey of, and improvements to, password security. In Proc. USENIX UNIX Security Workshop, 1990.
12. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: Measuring the effect of passwordcomposition policies. In CHI 2011: Conference on Human Factors in Computing Systems, 2011.
13. C. Kuo, S. Romanosky, and L. F. Cranor. Human selection of mnemonic phrase-based passwords. In Proc. Symposium on Usable Privacy and Security (SOUPS), pages 67-78, 2006.
14. C. D. Manning and H. Schütze. Foundations of statistical natural language processing. MIT Press, Cambridge, MA, USA, 1999.
15. S. Marechal. Advances in password cracking. Journal in Computer Virology, 4(1):73-81, 2008.
16. J. Massey. Guessing and entropy. In IEEE International Symposium on Information Theory, page 204, 1994.
17. Microsoft password strength meter. Online at https://www.microsoft.com/security/pc-security/password-checker.aspx.
18. R. Morris and K. Thompson. Password security: a case history. Communications. ACM, 22(11):594-597, 1979.
19. A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security, pages 364-372, New York, NY, USA, 2005. ACM.
20. The password meter. Online at http://www. passwordmeter.com/.
21. B. Pinkas and T. Sander. Securing passwords against dictionary attacks. In Proc. CCS '02, pages 161-170, 2002.
22. S. Riley. Password security: What users know and what they actually do. Usability News, 8(1), 2006.
23. S. Schechter, C. Herley, and M. Mitzenmacher. Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In Proceedings of the 5th USENIX conference on Hot topics in security, pages 1-8. USENIX Association, 2010.
24. E. H. Spafford. Observing reusable password choices. In Proceedings of the 3rd Security Symposium, pages 299-312. USENIX, 1992.
25. SpiderMonkey. Online at http://search.cpan.org/~mschilli/JavaScript-SpiderMonkey.
26. J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton. Analysis of end user security behaviors. Comp. & Security, 24(2):124-133, 2005.
27. A. Vance. If your password is 123456, just make it hackme. New York Times, oneline at http://www.nytimes.com/2010/01/21/technology/21password.html, retrieved May 2011, January 2010.
28. M. Weir, S. Aggarwal, M. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security (CCS 2010), pages 162-175. ACM, 2010.
29. M. Weir, S. Aggarwal, B. de Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In IEEE Symposium on Security and Privacy, pages 391-405. IEEE Computer Society, 2009.
30. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy Magazine, 2(5):25-31, 2004.
31. J. J. Yan. A note on proactive password checking. In Proc. NSPW '01, pages 127-135. ACM, 2001.
32. J. J. Yan, A. F. Blackwell, and R. J. Anderson. Password memorability and security: Empirical results. IEEE Security & Privacy, 2:25-31, 2004.
33. Y. Yu. On the entropy of compound distributions on nonnegative integers. IEEE Trans. Inf. Theor., 55:3645-3650, 2009.