On the Accuracy of Password Strength Meters

Golla, Maximilian; Dürmuth, Markus

doi:10.1145/3243734.3243769

Cited by 67 publications

(52 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, let us suppose we wish to infer the minimum length constraint specified by the policy that the 000webhost set [11] was created under (that is, α = length). In this case, previous research [7] has established that the answer is 6, and yet the data in Table IV would seem to contradict this-there are passwords shorter than this present in the data. It is readily apparent how the data in Table IV may be used to determine the minimum length constraint in the 000webhost policy.…”

Section: Attribute (α) Description Lengthcontrasting

confidence: 53%

“…This study was later replicated by Mayer et al in [8]. In [7], Golla and Dürmuth make extensive use of password data dumps where the password composition policy is known.…”

Section: Related Workmentioning

confidence: 91%

“…Passwords created under old policies may also be present. RockYou, for instance, changed their policy after their data breach in 2009 from minimum 5 characters in length [7] to a stronger policy [8], [13]. In this case, our methodology gives the password composition policy that the majority of passwords were created under, though there is scope for improving upon this in future work (see Section VI).…”

Section: Datasetmentioning

confidence: 99%

“…It is therefore possible that the dataset may be intentionally padded with extra records, some of which might contain non-compliant passwords. [7], [8].…”

Section: Datasetmentioning

confidence: 99%

“…We are therefore forced to turn to the data that we do have to attempt to infer as much of that lost information as we can. [7], [8], AND NUMBERS OF PASSWORDS WITHIN THEM.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Lost in Disclosure: On the Inference of Password Composition Policies

Johnson

Ferreira

Mendes

et al. 2019

2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)

View full text Add to dashboard Cite

Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies-sets of rules that a user must abide by when creating a password-influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.Index Terms-password composition policy, security, inference, big data • Multiple password composition policies per dump-the RockYou set, for example, is an aggregate made up of at arXiv:2003.05846v1 [cs.CR]

show abstract

Section: Attribute (α) Description Lengthcontrasting

confidence: 53%

“…This study was later replicated by Mayer et al in [8]. In [7], Golla and Dürmuth make extensive use of password data dumps where the password composition policy is known.…”

Section: Related Workmentioning

confidence: 91%

Section: Datasetmentioning

confidence: 99%

“…It is therefore possible that the dataset may be intentionally padded with extra records, some of which might contain non-compliant passwords. [7], [8].…”

Section: Datasetmentioning

confidence: 99%

“…We are therefore forced to turn to the data that we do have to attempt to infer as much of that lost information as we can. [7], [8], AND NUMBERS OF PASSWORDS WITHIN THEM.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Lost in Disclosure: On the Inference of Password Composition Policies

Johnson

Ferreira

Mendes

et al. 2019

2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)

View full text Add to dashboard Cite

show abstract

The (Persistent) Threat of Weak Passwords: Implementation of a Semi-automatic Password-Cracking Algorithm

Pelchen

Jaeger

Cheng

et al. 2019

Information Security Practice and Experience

View full text Add to dashboard Cite

Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

2019

View full text Add to dashboard Cite

Online services such as social networks, online shops, and search engines deliver different content to users depending on their location, browsing history, or client device. Since these services have a major influence on opinion forming, understanding their behavior from a social science perspective is of greatest importance. In addition, technical aspects of services such as security or privacy are becoming more and more relevant for users, providers, and researchers. Due to the lack of essential data sets, automatic black box testing of online services is currently the only way for researchers to investigate these services in a methodical and reproducible manner. However, automatic black box testing of online services is difficult since many of them try to detect and block automated requests to prevent bots from accessing them. In this paper, we introduce a testing tool that allows researchers to create and automatically run experiments for exploratory studies of online services. The testing tool performs programmed user interactions in such a manner that it can hardly be distinguished from a human user. To evaluate our tool, we conducted-among other things-a large-scale research study on Risk-based Authentication (RBA), which required human-like behavior from the client. We were able to circumvent the bot detection of the investigated online services with the experiments. As this demonstrates the potential of the presented testing tool, it remains to the responsibility of its users to balance the conflicting interests between researchers and service providers as well as to check whether their research programs remain undetected.

show abstract

On the Accuracy of Password Strength Meters

Cited by 67 publications

References 26 publications

Lost in Disclosure: On the Inference of Password Composition Policies

Lost in Disclosure: On the Inference of Password Composition Policies

The (Persistent) Threat of Weak Passwords: Implementation of a Semi-automatic Password-Cracking Algorithm

Even Turing Should Sometimes Not Be Able to Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services

Contact Info

Product

Resources

About