Guess again (and again and again):Measuring password strength by simulating password-cracking

algorithms

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo pez ́�

Carnegie Mellon UniversityPittsburgh, PA, USA

Presentation by David Ferreras

The Problem

• How can we tell when a password is secure?

• What requirements make a password stronger to attacks?

The Problem

• There are many different composition policies when creating a password:– Minimum length– Numbers and Simbols– Don’t allow words from a dictionary– Etc.

Which one is better?

The Problem

And, of course, users have to be able to remember it!!!

Measuring password strength

• 2 most common methods– Information Entropy• expected value (in bits) of the information contained in

a string. Provides a lower bound on the expected number of guesses to find a text.

– Empirically• Analyze the passwords with password-guessing tools.

Measuring password strength

The method in this paper:• Collect a dataset of passwords under different

password-composition policies• Approach how long it would take for various

password-guessing tools to guess each password collected

Called Guess-number calculator

Test data

• Passwords created on different conditions– Basic8survey: at least 8 characters in a survey scenario– Basic8: at least 8 characters in a email scenario– Basic16: at least 16 characters– Dictionary8: at least 8 characters and it may not contain a dictionary

word (Openwall list)– Comprehensive8: at least 8 characters including an uppercase and

lowercase letter, a symbol and a digit. It may not contain a dictionary word (Openwall list)

– BlacklistEasy: at least 8 characters and may not contain a dictionary word (UNIX dictionary)

– BlacklistMedium: same as before but with the paid Openwall list)– blacklistHard: dictionary with 5 billion words

Guess-number calculator

For most password-guessing algorithms, it is possible to create a function that maps a password to the number of guesses required to guess it.

It’s build as Machine-Learning algorithm.

The password-guessing algorithms tested are:• Brute-Force Markov• Weir algorithms

Results

Results

Conclusions

Best secure requirements• Basic16: at least 16 characters• Comprehensive8: at least 8 characters including an

uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word

Any questions?