Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Published byGloria Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle."— Presentation transcript:

1 Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo ́pez Carnegie Mellon University Pittsburgh, PA, USA Presentation by David Ferreras

2 The Problem How can we tell when a password is secure? What requirements make a password stronger to attacks?

3 The Problem There are many different composition policies when creating a password: – Minimum length – Numbers and Simbols – Don’t allow words from a dictionary – Etc. Which one is better?

4 The Problem And, of course, users have to be able to remember it!!!

5 Measuring password strength 2 most common methods – Information Entropy expected value (in bits) of the information contained in a string. Provides a lower bound on the expected number of guesses to find a text. – Empirically Analyze the passwords with password-guessing tools.

6 Measuring password strength The method in this paper: Collect a dataset of passwords under different password-composition policies Approach how long it would take for various password-guessing tools to guess each password collected Called Guess-number calculator

7 Test data Passwords created on different conditions – Basic8survey: at least 8 characters in a survey scenario – Basic8: at least 8 characters in a email scenario – Basic16: at least 16 characters – Dictionary8: at least 8 characters and it may not contain a dictionary word (Openwall list) – Comprehensive8: at least 8 characters including an uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word (Openwall list) – BlacklistEasy: at least 8 characters and may not contain a dictionary word (UNIX dictionary) – BlacklistMedium: same as before but with the paid Openwall list) – blacklistHard: dictionary with 5 billion words

8 Guess-number calculator For most password-guessing algorithms, it is possible to create a function that maps a password to the number of guesses required to guess it. It’s build as Machine-Learning algorithm. The password-guessing algorithms tested are: Brute-Force Markov Weir algorithms

9 Results

10

11 Conclusions Best secure requirements Basic16: at least 16 characters Comprehensive8: at least 8 characters including an uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word Any questions?

Download ppt "Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle."

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
(you must put the “s” in https to access)

(you must put the “s” in https to access)
Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.
Www.durham.ac.uk/cmp Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.
ENTROPY OF FINGERPRINT SENSORS. Do different fingerprint sensors affect the entropy of a fingerprint? RESEARCH QUESTION/HYPOTHESIS.

ENTROPY OF FINGERPRINT SENSORS. Do different fingerprint sensors affect the entropy of a fingerprint? RESEARCH QUESTION/HYPOTHESIS.
2014-2005. Today’s Objective: I will create a strong, private password.

Today’s Objective: I will create a strong, private password.
Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human.
Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.

Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.
Registration & System Access SDE Support. PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION https://isee.idaho.gov Registration System will direct you.

Registration & System Access SDE Support. PROVIDED BY THE IDAHO STATE DEPARTMENT OF EDUCATION Registration System will direct you.
David Abarca, Instructor Del Mar College Computer Corner Passwords, Passwords Everywhere !

David Abarca, Instructor Del Mar College Computer Corner Passwords, Passwords Everywhere !
Frequently Encountered Errors Idaho State Department of Education October 20, 2011.

Frequently Encountered Errors Idaho State Department of Education October 20, 2011.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission
PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.

PAGE 1 Company Proprietary and Confidential Internet Safety and Security Presented January 13, 2014.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.

Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Passwords Tom Ristenpart CS 6431. The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.

Passwords Tom Ristenpart CS The game plan Historical analysis Brief overview of research landscape Current practices in industry Bonneau paper Weir.
Password Fundamentals. UMB-Dental School New Password Policy Passwords must be eight characters or longer. Password must contain characters from three.

Password Fundamentals. UMB-Dental School New Password Policy Passwords must be eight characters or longer. Password must contain characters from three.

Similar presentations

Ads by Google