Testing metrics for password creation policies by attacking large sets of revealed passwords

Weir, Matt; Aggarwal, Sudhir; Collins, Michael; Stern, Henry

doi:10.1145/1866307.1866327

Cited by 285 publications

(252 citation statements)

References 11 publications

(16 reference statements)

Supporting

Mentioning

244

Contrasting

Order By: Relevance

“…However, this is mathematically unsuited to measuring guessing difficulty 6 [14,9] and recently been confirmed experimentally to be a poor measure of cracking difficulty for human-chosen passwords [21]. A more sound measure is guesswork :…”

Section: Quantifying Resistance To Guessingmentioning

confidence: 99%

“…RockYou The leak of 32 million textual passwords from the social gaming website RockYou in 2009 has proved invaluable for password research [21]. We extracted all consecutive sequences of exactly 4 digits from the RockYou passwords.…”

Section: Human Choice Of Other 4-digit Sequencesmentioning

confidence: 99%

“…Assuming that users with a blacklisted PIN will be re-distributed randomly according to the rest of the distribution (as assumed in [21]), the effects of blacklisting the top 100 PINs are substantial-λ 6 drops to 0.2%. Table 4.…”

Section: Effectiveness Of Blacklistingmentioning

confidence: 99%

See 2 more Smart Citations

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Bonneau

Preibusch

Anderson

2012

Lecture Notes in Computer Science

121

114

View full text Add to dashboard Cite

Abstract. We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims' birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one's date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.

show abstract

Section: Quantifying Resistance To Guessingmentioning

confidence: 99%

Section: Human Choice Of Other 4-digit Sequencesmentioning

confidence: 99%

See 1 more Smart Citation

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

Bonneau

Preibusch

Anderson

2012

Lecture Notes in Computer Science

121

114

View full text Add to dashboard Cite

show abstract

“…Survey after survey finds that users ignore most security precautions, yet it seems implausible that two billion people would use the Internet if a majority suffered serious harm each year. The leak of 32 million RockYou user credentials [13] has not been linked to any visible surge in fraud (albeit, proving such direct links convincingly can be difficult). The reasons for this apparent lack of visible harm are poorly understood.…”

Section: Inability To Quantify Harmmentioning

confidence: 99%

“…Infotheoretic entropy and the NIST criteria are poor measures [13] when users choose common passwords, e.g., 'Pa$$w0rd' isn't particularly strong. Strength is better measured relevant to a large population of passwords, as popularity is a main determinant of risk.…”

Section: Understanding Strength Online Offlinementioning

confidence: 99%

A Research Agenda Acknowledging the Persistence of Passwords

Herley

Oorschot

2012

IEEE Secur. Privacy Mag.

198

125

View full text Add to dashboard Cite

Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever. Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use. Among broad authentication research directions to follow, we first suggest better means to concretely identify actual requirements (surprisingly overlooked to date) and weight their relative importance in target scenarios; this will support approaches aiming to identify best-fit mechanisms in light of requirements. Second, for scenarios where indeed passwords appear to be the best-fit solution, we suggest designing better means to support passwords themselves. We highlight the need for more systematic research, and how the premature conclusion that passwords are dead has lead to the neglect of important research questions.

show abstract

The Benefits of Understanding Passwords

Jakobsson

Dhiman

2012

SpringerBriefs in Computer Science

View full text Add to dashboard Cite

We study passwords from the perspective of how they are generated, with the goal of better understanding how to distinguish good passwords from bad ones. Based on reviews of large quantities of passwords, we argue that users produce passwords using a small set of rules and types of components, both of which we describe herein. We build a parser of passwords, and show how this can be used to gain a better understanding of passwords, as well as to block weak passwords.

show abstract

Testing metrics for password creation policies by attacking large sets of revealed passwords

Cited by 285 publications

References 11 publications

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs

A Research Agenda Acknowledging the Persistence of Passwords

The Benefits of Understanding Passwords

Contact Info

Product

Resources

About