Abstract or Summary:
A major problem in computer security is intrusion into systems due to compromised authentication procedures. This paper focuses on the most commonly used authentication procedure--use of passwords. We have developed a framework for a methodology to estimate the guessability of passwords. We assume that passwords are usually based on a simple rule. If someone discovers one of a series of rule-based passwords, it is easier to guess other passwords. The framework we propose is that computer security experts can conduct guessability studies on a large number of passwords which are candidates for assignment to users. People who attempt to guess what a password is can be provided with cues, such as what a password for another account in the system is or a nickname. Hit rates (the percentage of passwords correctly guessed within a limited number of attempts) can then be obtained. This method can be used to develop metrics for guessability of classes of passwords. A system manager might utilize results of guessability studies by encouraging users to avoid choosing passwords which are closely associated with account names or which have been shown to be highly vulnerable to guessing, or by not assigning passwords which are from vulnerable classes of passwords. A pilot study confirmed the feasibility of this framework. Participants were given 20 attempts to guess an eight-character password which was either a common English word or two unrelated words joined by a control character (eight characters in all). The common English word was vulnerable to guessing, but only when cues about this word were provided. Participants never guessed the other password, however, even when cues were provided. The results not only demonstrate feasibility of our framework, but also suggest guidelines for selecting passwords which are less likely to result in compromised authentication procedures.