Ari Elias-BachrachDefensium LLChttp://www.defensium.com

Ari@defensium.com@angelofsecurity

November 2012

Measuring Password Complexity

2

This talk discusses the problems with our current methods of measuring password strength and proposes alternatives.

What this can give us

A better alternative

What’s wrong with password complexity?

P@ssw0rd!

3

• 4 digits• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)

We usually calculate password complexity based on the total number of possible passwords

1 2 3 4

410 = 10000

4

• 6 digits• 36 possibilities for each digit (0-9, A-Z)

We usually calculate password complexity based on the total number of possible passwords

A 1 2 3 4 B

636 =~ 1027

5

We usually calculate password complexity based on the total number of possible passwords

636 =~ 1027

• Assuming X attempts per minute

• Calculate expected time to check all

passwords

• Mean time for a single password

• Time to exhaust entire space

6

This only works if people are computersNote: people are not computers

Password

Letmein

Voldemort

5ga9n2kfb

b29cmna0

9h8g2bgun

Password

Password

#

#

7

Human nature defeats complexity

# of occurrences

Passwords, sorted by commonality

password

bdsjgganqvoldemort

password1

bdsjgganq1voldemort1

8

How wrong are our assumptions?

10 codes = 1/1000th of total passwordsTop 10 codes =~ 15% of all passcodes in use

9

We need a new way of measuring complexity

# of occurrences

Passwords, sorted by commonality

Nth Password

password

H6#a*b7Ke

10

We need a new way of measuring complexity

# of occurrences

Passwords, sorted by commonality

Nth Password

password

H6#a*b7Ke

11

What’s needed now: analysis of password policies

# of occurrences

Passwords, sorted by commonality

Policy 1

Policy 2

Policy 3

12

What’s needed now: analysis of password policies

1. Get password dumps

2. Crack them ALL (if hashed)

3. Run through previous metric

4. Correlate with applied policy

13

We can actually quantify the risk of a given password policy!

What this gives us: the ability to quantify password policies

Which is better:Which is better:

Insisting on use of numbers

Insisting on the use of special characters

14

We can actually quantify the risk of a given password policy!

What this gives us: the ability to quantify password policies

Which is better:

6 characters, must use 1 number and 1 letter

8 characters

15 Questions?

Quantify the strength of a password policy

Compare policies

State with some confidence how many weak passwords people will generate with any given policy

In summary, a true measure of password policy complexity will allow us to make informed decisions on password policies

HUGE, when talking to business people

16

About me

Ari Elias-BachrachDefensium LLChttp://www.defensium.com

Ari@defensium.com@angelofsecurity