Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

P. Kelley; Saranga Komanduri; Michelle L. Mazurek; R. Shay; Timothy Vidas; L. Bauer; N. Christin; L. Cranor; J. Hernandez

DOI:10.1109/SP.2012.38

Corpus ID: 2156336

Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

@article{Kelley2012GuessA,
  title={Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms},
  author={P. Kelley and Saranga Komanduri and Michelle L. Mazurek and R. Shay and Timothy Vidas and L. Bauer and N. Christin and L. Cranor and J. Hernandez},
  journal={2012 IEEE Symposium on Security and Privacy},
  year={2012},
  pages={523-537}
}

P. Kelley, Saranga Komanduri, +6 authors J. Hernandez

Published 2012

Computer Science

2012 IEEE Symposium on Security and Privacy

Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. [...] Key Method We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training…Expand Abstract

View on IEEE

Share This Paper

376 Citations

Highly Influential Citations

Background Citations

183

Methods Citations

Results Citations

Supplemental Presentations

Presentation Slides

Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

Presentation One

Presentation Two

Explore Further

Discover more papers related to the topics discussed in this paper

Figures and Topics from this paper

Figures

PASSWORD CRACKING BASED ON LEARNED PATTERNS FROM DISCLOSED PASSWORDS

Hsien-Cheng Chou, H. Lee, Hwan-Jeu Yu, Feipei Lai, Kuo-Hsuan Huang, Chih-Wen Hsueh
2012

Measuring password guessability for an entire university

Michelle L. Mazurek, Saranga Komanduri, +6 authors B. Ur
Computer Science
CCS
2013

Measuring Password Guessability for an Entire University (CMU-CyLab-13-013)

Michelle L. Mazurek, Saranga Komanduri, +6 authors B. Ur
Computer Science
2013

Reasoning Analytically about Password-Cracking Software

E. Liu, Amanda Nakanishi, Maximilian Golla, D. Cash, B. Ur
Computer Science
2019 IEEE Symposium on Security and Privacy (SP)
2019

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

Saul Johnson, J. F. Ferreira, Alexandra Mendes, Julien Cordry
Computer Science
AsiaCCS
2020

Measuring Real-World Accuracies and Biases in Modeling Password Guessability

B. Ur, Sean M. Segreti, +7 authors R. Shay
Computer Science
USENIX Security Symposium
2015

Supporting Password-Security Decisions with Data

B. Ur
Computer Science
2016

5
Highly Influenced
PDF

Designing Password Policies for Strength and Usability

R. Shay, Saranga Komanduri, +7 authors L. Cranor
Computer Science
ACM Trans. Inf. Syst. Secur.
2016

Surpass: System-initiated User-replaceable Passwords

J. Huh, Seongyeol Oh, Hyoungshick Kim, K. Beznosov, Apurva Mohan, S. Rajagopalan
Computer Science
CCS
2015

Pitfalls in the automated strengthening of passwords

D. Schmidt, T. Jaeger
Computer Science
ACSAC
2013

References

SHOWING 1-10 OF 67 REFERENCES

SORT BY

Password Strength: An Empirical Analysis

Matteo Dell'Amico, Pietro Michiardi, Y. Roudier
Computer Science
2010 Proceedings IEEE INFOCOM
2010

Using probabilistic techniques to aid in password cracking attacks

Sudhir Aggarmal, C. Weir
Computer Science
2010

Of passwords and people: measuring the effect of password-composition policies

Saranga Komanduri, R. Shay, +5 authors Serge Egelman
Computer Science
CHI
2011

Password Cracking Using Probabilistic Context-Free Grammars

Matt Weir, S. Aggarwal, B. D. Medeiros, Bill Glodek
Computer Science
2009 30th IEEE Symposium on Security and Privacy
2009

384
Highly Influential
PDF

Testing metrics for password creation policies by attacking large sets of revealed passwords

Matt Weir, S. Aggarwal, M. Collins, H. Stern
Computer Science
CCS '10
2010

370
Highly Influential
PDF

Password Exhaustion: Predicting the End of Password Usefulness

L. Clair, Lisa Johansen, +4 authors T. Jaeger
Computer Science
ICISS
2006

Encountering stronger password requirements: user attitudes and behaviors

R. Shay, Saranga Komanduri, +5 authors L. Cranor
Computer Science
SOUPS
2010

Improving computer security for authentication of users: Influence of proactive password restrictions

R. Proctor, M. Lien, K. Vu, E. Schultz, G. Salvendy
Medicine, Computer Science
Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc
2002

Multiple password interference in text passwords and click-based graphical passwords

S. Chiasson, A. Forget, E. Stobert, P. V. Oorschot, R. Biddle
Computer Science
CCS
2009

Password management strategies for online accounts

Shirley Gaw, E. Felten
Computer Science
SOUPS '06
2006