The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
Date: October 2010 Publication: Proceedings of the 17th ACM conference on Computer and Communications Security CCS '10 Page(s): 176 - 186 Publisher: ACM Source 1: http://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf Source 2: http://www.cs.unc.edu/~yinqian/papers/PasswordExpire.pdf Source 3: http://dx.doi.org/10.1145/1866307.1866328 - Subscription or payment required Abstract or Summary:
This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration. Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |