Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

Kelley, Patrick Gage; Komanduri, Saranga; Mazurek, Michelle L.; Shay, Richard; Vidas, Timothy; Bauer, Lujo; Christin, Nicolas; Cranor, Lorrie Faith; López, Julio

doi:10.1109/sp.2012.38

Cited by 243 publications

(122 citation statements)

References 37 publications

Supporting

Mentioning

111

Contrasting

Order By: Relevance

“…Some works try to assess or measure the strength of a password [6,15,24,1,2,13,7]. In this context, password meters are supposed to help users to improve their password.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

On the Privacy Impacts of Publicly Leaked Password Databases

Heen

Neumann

2017

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. Regularly, hackers steal data sets containing user identifiers and passwords. Often these data sets become publicly available. The most prominent and important leaks use bad password protection mechanisms, e.g. rely on unsalted password hashes, despite longtime known recommendations. The accumulation of leaked password data sets allows the research community to study the problems of password strength estimation, password breaking and to conduct usability and usage studies. The impact of these leaks in terms of privacy has not been studied. In this paper, we consider attackers trying to break the privacy of users, while not breaking a single password. We consider attacks revealing that distinct identifiers are in fact used by the same physical person. We evaluate large scale linkability attacks based on properties and relations between identifiers and password information. With these attacks, stronger passwords lead to better predictions. Using a leaked and publicly available data set containing 130 × 10 6 encrypted passwords, we show that a privacy attacker is able to build a database containing the multiple identifiers of people, including their secret identifiers. We illustrate potential consequences by showing that a privacy attacker is capable of deanonymizing (potentially embarrassing) secret identifiers by intersecting several leaked password databases.

show abstract

“…Some works try to assess or measure the strength of a password [6,15,24,1,2,13,7]. In this context, password meters are supposed to help users to improve their password.…”

Section: Related Workmentioning

confidence: 99%

“…These last few years, research focused on password user studies [5,25,1], password breaking [26,18] and estimation of password strength [6,15,24,1,2,13,3]. Most existing attacks apply to passwords that are used by an important number of users.…”

Section: Introductionmentioning

confidence: 99%

On the Privacy Impacts of Publicly Leaked Password Databases

Heen

Neumann

2017

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…Generally user chooses password which are simple and easy to remember. [8] [9] Such type of password can easily identify using some basic attacks. [10] [11] [12] System allow user to select password which consist of minimum 8 characters, one digit and one special symbol is implemented.…”

Section: User Registrationmentioning

confidence: 99%

Enhancing Security in user authentication through honeyword

Gadgil¹

2016

ijsrm

View full text Add to dashboard Cite

Honeyword system used to detect password file disclosure. For each user set of honeyword is generated. When adversary have a password file, then it get confused which one is real password in honeyword set. Adversary enters all honeywords in the set. When honeywords are entered notification will be send to the admin. Author gives hybrid method for generation of honeyword. Hybrid method provides strong DoS resistance and flatness.

show abstract

“…Yet, these are not applicable in many scenarios as such passwords are usually more difficult to remember. Assessing the effective password space can be difficult, because a sufficiently large sample of passwords is needed to derive any meaningful information on frequently appearing values [21]. Multiple metrics have been proposed to compare and predict the password spaces of different schemes.…”

Section: The Password Spacementioning

confidence: 99%

“…However, it has been found, that neither the NIST estimates nor Shannon entropy provide truely reliable estimates and represent more a "rule of thumb" than an accurate metric, especially since sample sizes in typical usability studies are far smaller than what would be desirable [21,33]. Kelley et al [21] proposed guess-number calculator and Bonneau [2] proposed α-guesswork as more robust and reliable metrics, but for none of these two empirical values for graphical passwords are available. Thus, in the the absence of viable alternatives, Shannon entropy is used as measure to configure the schemes in this study.…”

Section: The Password Spacementioning

confidence: 99%

Authentication Schemes - Comparison and Effective Password Spaces

Mayer

Volkamer

Kauer

2014

Information Systems Security

View full text Add to dashboard Cite

Abstract. Text passwords are ubiquitous in authentication. Despite this ubiquity, they have been the target of much criticism. One alternative to the pure recall text passwords are graphical authentication schemes. The different proposed schemes harness the vast visual memory of the human brain and exploit cued-recall as well as recognition in addition to pure recall. While graphical authentication in general is promising, basic research is required to better understand which schemes are most appropriate for which scenario (incl. security model and frequency of usage). This paper presents a comparative study in which all schemes are configured to the same effective password space (as used by large Internet companies). The experiment includes both, cued-recall-based and recognition-based schemes. The results demonstrate that recognition-based schemes have the upper hand in terms of effectiveness and cued-recall-based schemes in terms of efficiency. Thus, depending on the scenario one or the other approach is more appropriate. Both types of schemes have lower reset rates than text passwords which might be of interest in scenarios with limited support capacities.

show abstract

Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

Cited by 243 publications

References 37 publications

On the Privacy Impacts of Publicly Leaked Password Databases

On the Privacy Impacts of Publicly Leaked Password Databases

Enhancing Security in user authentication through honeyword

Authentication Schemes - Comparison and Effective Password Spaces

Contact Info

Product

Resources

About