Optimizing Password Composition Policies
Author(s): Jeremiah Blocki, Saranga Komanduri, Ariel Procaccia, Or Sheffet

Date: June 2013
Publication: Proceedings of the 14th ACM Conference on Electronic Commerce, EC '13
Page(s): 105 - 122
Publisher: ACM
Source 1: http://arxiv.org/pdf/1302.5101v2.pdf
Source 2: http://dl.acm.org/citation.cfm?id=2482552 - Subscription or payment required

Abstract or Summary:
A password composition policy restricts the space of allowable passwords to eliminate weak passwords that are vulnerable to statistical guessing attacks. Usability studies have demonstrated that existing password composition policies can sometimes result in weaker password distributions; hence a more principled approach is needed. We introduce the first theoretical model for optimizing password composition policies. We study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords. Our main positive result is an algorithm that -- with high probability --- constructs almost optimal policies (which are specified as a union of subsets of allowed passwords), and requires only a small number of samples of users' preferred passwords. We complement our theoretical results with simulations using a real-world dataset of 32 million passwords.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com