Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

@article{Kelley2012GuessA,
  title={Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms},
  author={P. Kelley and Saranga Komanduri and Michelle L. Mazurek and R. Shay and Timothy Vidas and L. Bauer and N. Christin and L. Cranor and J. Hernandez},
  journal={2012 IEEE Symposium on Security and Privacy},
  year={2012},
  pages={523-537}
}
  • P. Kelley, Saranga Komanduri, +6 authors J. Hernandez
  • Published 2012
  • Computer Science
  • 2012 IEEE Symposium on Security and Privacy
  • Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. [...] Key Method We develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords. Leveraging this method, we investigate (a) the resistance of passwords created under different conditions to guessing, (b) the performance of guessing algorithms under different training…Expand Abstract
    376 Citations

    Figures and Topics from this paper

    Measuring password guessability for an entire university
    • 185
    • PDF
    Measuring Password Guessability for an Entire University (CMU-CyLab-13-013)
    Reasoning Analytically about Password-Cracking Software
    • 2
    • PDF
    Measuring Real-World Accuracies and Biases in Modeling Password Guessability
    • 128
    • PDF
    Supporting Password-Security Decisions with Data
    • B. Ur
    • Computer Science
    • 2016
    • 5
    • Highly Influenced
    • PDF
    Designing Password Policies for Strength and Usability
    • 77
    • PDF
    Pitfalls in the automated strengthening of passwords
    • 7
    • PDF

    References

    SHOWING 1-10 OF 67 REFERENCES
    Password Strength: An Empirical Analysis
    • 236
    • PDF
    Using probabilistic techniques to aid in password cracking attacks
    • 28
    Of passwords and people: measuring the effect of password-composition policies
    • 347
    • PDF
    Password Cracking Using Probabilistic Context-Free Grammars
    • 384
    • Highly Influential
    • PDF
    Testing metrics for password creation policies by attacking large sets of revealed passwords
    • 370
    • Highly Influential
    • PDF
    Password Exhaustion: Predicting the End of Password Usefulness
    • 46
    • PDF
    Encountering stronger password requirements: user attitudes and behaviors
    • 312
    • PDF
    Improving computer security for authentication of users: Influence of proactive password restrictions
    • 104
    • PDF
    Multiple password interference in text passwords and click-based graphical passwords
    • 209
    • PDF
    Password management strategies for online accounts
    • 383
    • PDF