Passwords - Divided They Stand, United They Fall
Date: December 2014
Publication: 8th International Conference on Passwords (Passwords14 Norway)
Source: Currently no known Internet copy of paper.
It is evident from the breached password databases that in the absence of any composition policy, passwords are created predominantly using lowercase letters or digits or combination of both. Considerable portion of these passwords can be broken online using dictionary attacks, which exploit the fact that some passwords are more probable than the others. Remaining portion of these passwords can be recovered using a brute-force attack since the passwords do not have sufficient length. To counter these attacks, password policies enforce users to create passwords from a larger search space. One way to achieve this is to enforce the use of a large alphabet set while the other way is to increase the length of passwords. Both of these strategies link the increase in the search space to the increase in the security of passwords. However, we refute the claim that merely increasing the search space results in secure passwords. We hypothesize that with the human generated passwords, the search space will remain highly biased and increasing the search space might just result in a different dictionary for the attacker. We also believe that the system can play a role in changing this biased distribution without resorting to the assignment of random passwords to the users. And therefore, we propose two schemes which ensure that the attacker has to brute-force search the entire search space to break the password database.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.