Observing Reusable Password Choices
Author(s): Eugene Spafford

Date: July 31 1992
Publication: Purdue Technical Report CSD-TR 92-049
Publisher: Purdue University
Source 1: https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/91-03.pdf
Source 2: http://spaf.cerias.purdue.edu/tech-reps/9149.pdf
Source 3: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

Abstract or Summary:
From experience, a significant number of recent computer breakins -- perhaps the majority -- can be traced back to an instance of a poorly-chosen reusable password. Once a system intruder has gained access to one account by breaking a password, it is often a simple matter to find system flaws and weaknesses that thereafter allow entry to other accounts and increasing amounts of privilege.

The OPUS project being conducted at Purdue is an attempt to screen users’ selection of passwords to prevent poor choices. The focus of the project is on using screening methods that are both time and space-efficient and to provide a mechanism that is effective for workstations with little or no disk as well as mainframes.

To test this mechanism, we require a representative sample of real passwords. Thus, we constructed a method of sampling real passwords choices as they were made by users. The challenge of such a sampling mechanism is how to protect it from attack, and how to protect the results from being used against the system. This paper discusses our approach, and some of our initial observations on the words collected.

PasswordResearch.com Note: Paper also was published as "Observations on Reusable Password Choices" in the Proceedings of the 3rd Security Symposium. Usenix, September 1992.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com