Password Security: An Empirical Study

Zviran, Moshe; Haga, William J.

doi:10.1080/07421222.1999.11518226

Cited by 181 publications

(138 citation statements)

References 30 publications

Supporting

Mentioning

131

Contrasting

Unclassified

Order By: Relevance

“…Researchers have found that password policies help users create passwords that are generally harder to crack than those created without composition requirements [11,25,32]. Unfortunately, users are frustrated by inflexible password-composition and password-management requirements [1,19], and they often fulfill requirements in predictable ways [9,28,33,35].…”

Section: Background and Related Workmentioning

confidence: 99%

Can long passwords be secure and usable?

Shay

Komanduri

Durity

et al. 2014

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

104

View full text Add to dashboard Cite

To encourage strong passwords, system administrators employ password-composition policies, such as a traditional policy requiring that passwords have at least 8 characters from 4 character classes and pass a dictionary check. Recent research has suggested, however, that policies requiring longer passwords with fewer additional requirements can be more usable and in some cases more secure than this traditional policy. To explore long passwords in more detail, we conducted an online experiment with 8,143 participants. Using a cracking algorithm modified for longer passwords, we evaluate eight policies across a variety of metrics for strength and usability. Among the longer policies, we discover new evidence for a security/usability tradeoff, with none being strictly better than another on both dimensions. However, several policies are both more usable and more secure that the traditional policy we tested. Our analyses additionally reveal common patterns and strings found in cracked passwords. We discuss how system administrators can use these results to improve password-composition policies.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Can long passwords be secure and usable?

Shay

Komanduri

Durity

et al. 2014

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

104

View full text Add to dashboard Cite

show abstract

“…Rather than collect passwords expressly for an experiment, some researchers ask users to self-report password information, including both password composition details and user sentiment information [7,33,37,47,49,58]. While self-reported data can be very useful and can provide a lot of context, it cannot always be considered reliable, particularly with regard to a sensitive topic like passwords.…”

Section: Password Corporamentioning

confidence: 99%

Measuring password guessability for an entire university

Mazurek

Komanduri

Vidas

et al. 2013

Proceedings of the 2013 ACM SIGSAC Conference on Computer &Amp; Communications Security - CCS '13

168

View full text Add to dashboard Cite

Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood.We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.8 times as strong as those of users associated with the business school. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them.We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.

show abstract

“…Consequently, guessing attacks, where the attacker guesses a possible password, hashes it, and compares the hash to the stored value, are usually quite efficient. This has been realized early, and password guessing has been deployed for a long time (see, e.g, [4,39,40,15]). …”

Section: Password Securitymentioning

confidence: 99%

Evaluation of Standardized Password-Based Key Derivation against Parallel Processing Platforms

Dürmuth

Güneysu

Kasper

et al. 2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Passwords are still the preferred method of user authentication for a large number of applications. In order to derive cryptographic keys from (human-entered) passwords, key-derivation functions are used. One of the most well-known key-derivation functions is the standardized PBKDF2 (RFC2898), which is used in TrueCrypt, CCMP of WPA2, and many more. In this work, we evaluate the security of PBKDF2 against password guessing attacks using state-of-the-art parallel computing architectures, with the goal to find parameters for the PBKDF2 that protect against today's attacks. In particular we developed fast implementations of the PBKDF2 on FPGA-clusters and GPU-clusters. These two families of platforms both have a better price-performance ratio than PCclusters and pose, thus, a great threat when running large scale guessing attacks. To the best of our knowledge, we demonstrate the fastest attacks against PBKDF2, and show that we can guess more than 65% of typical passwords in about one week.

show abstract

Password Security: An Empirical Study

Cited by 181 publications

References 30 publications

Can long passwords be secure and usable?

Can long passwords be secure and usable?

Measuring password guessability for an entire university

Evaluation of Standardized Password-Based Key Derivation against Parallel Processing Platforms

Contact Info

Product

Resources

About