Investigating the Distribution of Password Choices
Date: April 2012
Publication: Proceedings of the 21st international conference on World Wide Web, WWW '12
Page(s): 301 - 310
Source 1: http://www2012.wwwconference.org/proceedings/proceedings/p301.pdf
Source 2: http://arxiv.org/pdf/1104.3722.pdf
Source 3: http://dx.doi.org/10.1145/2187836.2187878 - Subscription or payment required
Abstract or Summary:
The distribution of passwords chosen by users has implications for site security, password-handling algorithms and even how users are permitted to select passwords. Using password lists from four different web sites, we investigate if Zipf's law is a good description of the frequency with which passwords are chosen. We use a number of standard statistics, which measure the security of password distributions, to see if modelling the data using a simple distribution is effective. We then consider how much the password distributions from each site have in common, using password cracking as a metric. This shows that these distributions have enough high-frequency passwords in common to provide effective speed-ups for cracking passwords. Finally, as an alternative to a deterministic banned list, we will show how to stochastically shape the distribution of passwords, by occasionally asking users to choose a different password.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.