|
Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
Date: October 2010 Publication: Proceedings of the 17th ACM conference on Computer and Communications Security CCS'10 Page(s): 163 - 175 Publisher: ACM Source 1: http://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf Source 2: https://834e27ae-a-62cb3a1a-s-sites.googlegroups.com/site/reusablesec/Home/presentations-and-papers/CCS_Password_Metric_Measurement.pdf Source 3: http://dx.doi.org/10.1145/1866307.1866327 - Subscription or payment required Abstract or Summary:
In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements. Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |