Upload
gloria-casey
View
223
Download
2
Embed Size (px)
Citation preview
Guess again (and again and again):Measuring password strength by simulating password-cracking
algorithms
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo pez ́�
Carnegie Mellon UniversityPittsburgh, PA, USA
Presentation by David Ferreras
The Problem
• How can we tell when a password is secure?
• What requirements make a password stronger to attacks?
The Problem
• There are many different composition policies when creating a password:– Minimum length– Numbers and Simbols– Don’t allow words from a dictionary– Etc.
Which one is better?
Measuring password strength
• 2 most common methods– Information Entropy• expected value (in bits) of the information contained in
a string. Provides a lower bound on the expected number of guesses to find a text.
– Empirically• Analyze the passwords with password-guessing tools.
Measuring password strength
The method in this paper:• Collect a dataset of passwords under different
password-composition policies• Approach how long it would take for various
password-guessing tools to guess each password collected
Called Guess-number calculator
Test data
• Passwords created on different conditions– Basic8survey: at least 8 characters in a survey scenario– Basic8: at least 8 characters in a email scenario– Basic16: at least 16 characters– Dictionary8: at least 8 characters and it may not contain a dictionary
word (Openwall list)– Comprehensive8: at least 8 characters including an uppercase and
lowercase letter, a symbol and a digit. It may not contain a dictionary word (Openwall list)
– BlacklistEasy: at least 8 characters and may not contain a dictionary word (UNIX dictionary)
– BlacklistMedium: same as before but with the paid Openwall list)– blacklistHard: dictionary with 5 billion words
Guess-number calculator
For most password-guessing algorithms, it is possible to create a function that maps a password to the number of guesses required to guess it.
It’s build as Machine-Learning algorithm.
The password-guessing algorithms tested are:• Brute-Force Markov• Weir algorithms