Matt Weir
ABSTRACT
In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.
- }}W. Burr, D. Dodson, R. Perlner, W. Polk, S. Gupta, E. Nabbus, "NIST Special Publication 800--63--1 Electronic Authentication Guideline", Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD, April, 2006Google Scholar
- }}Office of Management and Budget, "Draft Agency Implementation, Guidance for Homeland Security, Presidential Directive 12", August 2004.Google Scholar
- }}P. Bowen, A. Johnson, J. Hash, C. Dancy Smith, D. Steinberg, "NIST Special Publication 800--66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule", Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD.Google Scholar
- }}C.E. Shannon, "A Mathematical Theory of Communication", Bell System Technical Journal, vol. 27, pp. 379--423, 623--656, July, October, 1948.Google ScholarCross Ref
- }}C. Herley, "So Long and No Thanks for the Externalities: The Rationl Rejection of Security Advice by Users." NSPW 09, September 8--11 2009 Oxford, United Kingdom. Google ScholarDigital Library
- }}A. Vance, "If Your Password is 123456 Just Make it HackMe" New York Times, January 20th, 2010. Page A1.Google Scholar
- }}E. R. Verheul. "Selecting secure passwords", CT-RSA 2007, Proceedings Volume 4377 of Lecture Notes in Computer Science, pages 49--66. Springer Verlag, Berlin, 2007. Google ScholarDigital Library
- }}J.L. Massey, "Guessing and Entropy," Proc. 1994 IEEE International Symposium on Information Theory, 1995, p.329.Google Scholar
- }}The OpenWall Group, {Software} John the Ripper password cracker, {Online Document} {cited 2--19--2010} Available HTTP http://www.openwall.comGoogle Scholar
- }}A list of popular password cracking wordlists, 2005, {Online Document} {cited 2010 January 14} Available HTTP http://www.outpost9.com/files/WordLists.htmlGoogle Scholar
- }}M. Weir and S. Aggarwal. "Cracking 400,000 Passwords or How to Explain to Your Roommate why the Power-Bill is a Little High", Defcon 17, Las Vegas, NV, August 2009Google Scholar
- }}J. Leversund "The Password Meta Policy" {Online Document} {cited 2010 April 16} Available HTTP http://securitynirvana.blogspot.com/2010/02/password-meta-policy.htmlGoogle Scholar
- }}G. Bard, "Spelling-Error Tolerant, Order Independent Pass-Phrases via the Damerau-Levenshtein String-Edit Distance Metric" Fifth Australasian Symposium on ACSW Frontiers - Volume 68 (Ballarat, Australia, January 30 - February 02, 2007), 117--124. Google ScholarDigital Library
- }}A. Forget, S. Chiasson, P.C. van Oorschot, R. Biddle, "Improving Text Passwords through Persuasion." Symposium on Usable Privacy and Security (SOUPS) 2008, July 23--25, 2008, Pittsburgh, PA USA. Google ScholarDigital Library
- }}B. Schneier, "Write Down Your Password", June 17, 2005 {Online Document} {cited 2010 April 16} Available HTTP http://www.schneier.com/blog/archives/2005/06/write_down_your.htmlGoogle Scholar
- }}Various Authors, "Faithwriters.com hacked message posts" {Online Document} {cited 2010 April 16} Available HTTP http://forums.crosswalk.com/m_4252083/mpage_1/tm.htmGoogle Scholar
- }}B. Ryan, "The Hacking of the http://db.singles.org" {Online Document} {cited 2010 April 16} Available HTTP http://msmvps.com/blogs/williamryan/archive/2009/02/22/the-hacking-of-http-db-singles-org.aspxGoogle Scholar
- }}M. Weir, Sudhir Aggarwal, Breno de Medeiros, Bill Glodek, "Password Cracking Using Probabilistic Context Free Grammars," Proceedings of the 30th IEEE Symposium on Security and Privacy, May 2009. Google ScholarDigital Library
- }}R. Morris and K. Thompson. "Password security: a case history" Communications. ACM, 22(11):594--597, 1979. Google ScholarDigital Library
- }}A. Narayanan and V. Shmatikov, Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff, CCS'05, November 7--11, 2005, Alexandria, Virginia Google ScholarDigital Library
- }}J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security and Privacy Magazine, Volume 2, Number 5, pages 25--31, 2004. Google ScholarDigital Library
- }}T. Wu, "A real-world analysis of kerberos password security," in 1999 Network and Distributed System Security Symposium, February 1999.Google Scholar
- }}B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, "Your botnet is my botnet: Analysis of a botnet takeover," Tech. Rep., April 2009.Google ScholarDigital Library
- }}Sophos, "Security at risk as one third of surfers admit they use the same password for all websites", {Online Document} {cited 2010 July 14} Available HTTP http://www.sophos.com/pressoffice/news/articles/2009/03/password-security.htmlGoogle Scholar
- }}L. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel and T. Jaeger, "Password Exhaustion: Predicting the End of Password Usefulness" ICISS, volume 4332 of Lecture Notes in Computer Science, pages 37--55, 2006. Google ScholarDigital Library
- }}J. Bonneau, S. Preibusch, "The Password Thicket: Technical and Market Failures in Human Authentication on the Web", The Ninth Workshop on the Economics of Information Security, WEIS 2010.Google Scholar
- }}K. Zetter, "Weak Password Brings 'Happiness' to Twitter Hacker" {Online Document} {cited 10'0 July 19} Available HTTP http://www.wired.com/threatlevel/2009/01/professed-twitt/Google Scholar
Index Terms
- Testing metrics for password creation policies by attacking large sets of revealed passwords
Recommendations
Hacking Passwords that Satisfy Common Password Policies: Hacking Passwords
SIN 2020: 13th International Conference on Security of Information and NetworksThe password policies for 14 popular websites were checked and a list of passwords that satisfied the minimal requirements created for each website. 58 users then created realistic passwords that satisfied the minimal requirements. A special purpose ...
Comments