Optimizing Password Composition Policies
Date: June 2013
Publication: Proceedings of the 14th ACM Conference on Electronic Commerce, EC '13
Page(s): 105 - 122
Source 1: http://arxiv.org/pdf/1302.5101v2.pdf
Source 2: http://dl.acm.org/citation.cfm?id=2482552 - Subscription or payment required
A password composition policy restricts the space of allowable passwords to eliminate weak passwords that are vulnerable to statistical guessing attacks. Usability studies have demonstrated that existing password composition policies can sometimes result in weaker password distributions; hence a more principled approach is needed. We introduce the first theoretical model for optimizing password composition policies. We study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords. Our main positive result is an algorithm that -- with high probability --- constructs almost optimal policies (which are specified as a union of subsets of allowed passwords), and requires only a small number of samples of users' preferred passwords. We complement our theoretical results with simulations using a real-world dataset of 32 million passwords.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.