Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords
Date: October 2010
Publication: Proceedings of the 17th ACM conference on Computer and Communications Security CCS'10
Page(s): 163 - 175
Source 1: http://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf
Source 2: http://dx.doi.org/10.1145/1866307.1866327 - Subscription or payment required
In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.