Measuring Real-World Accuracies and Biases in Modeling Password Guessability
نویسندگان
چکیده
Parameterized password guessability—how many guesses a particular cracking algorithm with particular training data would take to guess a password—has become a common metric of password security. Unlike statistical metrics, it aims to model real-world attackers and to provide per-password strength estimates. We investigate how cracking approaches often used by researchers compare to real-world cracking by professionals, as well as how the choice of approach biases research conclusions. We find that semi-automated cracking by professionals outperforms popular fully automated approaches, but can be approximated by combining multiple such approaches. These approaches are only effective, however, with careful configuration and tuning; in commonly used default configurations, they underestimate the real-world guessability of passwords. We find that analyses of large password sets are often robust to the algorithm used for guessing as long as it is configured effectively. However, cracking algorithms differ systematically in their effectiveness guessing passwords with certain common features (e.g., character substitutions). This has important implications for analyzing the security of specific password characteristics or of individual passwords (e.g., in a password meter or security audit). Our results highlight the danger of relying only on a single cracking algorithm as a measure of password strength and constitute the first scientific evidence that automated guessing can often approximate guessing by professionals.
منابع مشابه
Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks
Human-chosen text passwords, today’s dominant form of authentication, are vulnerable to guessing attacks. Unfortunately, existing approaches for evaluating password strength by modeling adversarial password guessing are either inaccurate or orders of magnitude too large and too slow for real-time, client-side password checking. We propose using artificial neural networks to model text passwords...
متن کاملMeasuring Password Guessability for an Entire University (CMU-CyLab-13-013)
Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used ...
متن کاملThe regional estimates of the GPS satellite and receiver differential code biases
The Differential Code Biases (DCB), which are also termed hardware delay biases, are the frequency-dependent time delays of the satellite and receiver. Possible sources of these delays are antennas and cables, as well as different filters used in receivers and satellites. These instrumental delays affect both code and carrier measurements. These biases for satellites and some IGS stations tend ...
متن کاملMulticriteria Optimization to Select Images as Passwords in Recognition Based Graphical Authentication Systems
Usability and guessability are two conflicting criteria in assessing the suitability of an image to be used as password in the recognition based graphical authentication systems (RGBSs). We present the first work in this area that uses a new approach, which effectively integrates a series of techniques in order to rank images taking into account the values obtained for each of the dimensions of...
متن کاملImproved Models for Password Guessing
One approach to measuring password strength is to assess the probability it will be cracked in a fixed set of guesses. The current state of the art in password guessing employs a first-order Markov model that makes several assumptions about the distribution of passwords. We present two novel approaches to modeling password distributions that remove some of these assumptions. First, a layered Ma...
متن کامل