guess again (and again and again): measuring password strength by simulating password-cracking...

11

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo ́pez Carnegie Mellon University Pittsburgh, PA, USA Presentation by David Ferreras

Upload: gloria-casey

Post on 17-Dec-2015

223 views

Category:

Documents

2 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Guess again (and again and again):Measuring password strength by simulating password-cracking

algorithms

Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lo pez ́�

Carnegie Mellon UniversityPittsburgh, PA, USA

Presentation by David Ferreras

Page 2: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

The Problem

• How can we tell when a password is secure?

• What requirements make a password stronger to attacks?

Page 3: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

The Problem

• There are many different composition policies when creating a password:– Minimum length– Numbers and Simbols– Don’t allow words from a dictionary– Etc.

Which one is better?

Page 4: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

The Problem

And, of course, users have to be able to remember it!!!

Page 5: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Measuring password strength

• 2 most common methods– Information Entropy• expected value (in bits) of the information contained in

a string. Provides a lower bound on the expected number of guesses to find a text.

– Empirically• Analyze the passwords with password-guessing tools.

Page 6: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Measuring password strength

The method in this paper:• Collect a dataset of passwords under different

password-composition policies• Approach how long it would take for various

password-guessing tools to guess each password collected

Called Guess-number calculator

Page 7: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Test data

• Passwords created on different conditions– Basic8survey: at least 8 characters in a survey scenario– Basic8: at least 8 characters in a email scenario– Basic16: at least 16 characters– Dictionary8: at least 8 characters and it may not contain a dictionary

word (Openwall list)– Comprehensive8: at least 8 characters including an uppercase and

lowercase letter, a symbol and a digit. It may not contain a dictionary word (Openwall list)

– BlacklistEasy: at least 8 characters and may not contain a dictionary word (UNIX dictionary)

– BlacklistMedium: same as before but with the paid Openwall list)– blacklistHard: dictionary with 5 billion words

Page 8: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Guess-number calculator

For most password-guessing algorithms, it is possible to create a function that maps a password to the number of guesses required to guess it.

It’s build as Machine-Learning algorithm.

The password-guessing algorithms tested are:• Brute-Force Markov• Weir algorithms

Page 9: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Results

Page 10: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Results

Page 11: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle

Conclusions

Best secure requirements• Basic16: at least 16 characters• Comprehensive8: at least 8 characters including an

uppercase and lowercase letter, a symbol and a digit. It may not contain a dictionary word

Any questions?

AdChoices? Compliance with Online Behavioral Advertising ... · AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements Saranga Komanduri, Richard

ArcGIS - webhelp.esri.comwebhelp.esri.com/arcgisdesktop/9.2/pdf/DatabaseServers_Tutorial.pdf · ADDING USERS 5 6. Type Leon in the Password ﬁeld, and type it again in the Conﬁrm

Chulwoo Oh, Ravi Komanduri, and Michael J. Escuti 1 · P-167 / C. Oh P-167: FDTD and Elastic Continuum Analysis of the Liquid Crystal Polarization Grating Chulwoo Oh, Ravi Komanduri,

Username Password Enter Username and Password Login

Guess Again (and Again and Again): Measuring Password ... · Measuring password strength by simulating password-cracking algorithms ... passwords that happen to meet ... Measuring

NetBrain Technologies, Inc. 2009-07-20...Check Store password, the system will remember the password and you don’t need to input it again. NetBrain Discovery Appliance Manual - 14

PASSWORDPop QuizPop Quiz! PASSWORD Pop QuizPop Quiz! · 2016. 3. 22. · “PASSWORD” 7 PASSWORD Pop QuizPop Quiz! PASSWORD Pop QuizPop Quiz! PASSWORD Pop QuizPop Quiz! PASSWORD

Guess Again (and Again and Again): Measuring Password ... · Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage

Guess Again (and Again and Again): Measuring Password ...cups.cs.cmu.edu/rshay/pubs/guessagain2012.pdf · Guess again (and again and again): Measuring password strength by simulating

Wireless Troubleshooting Guide for the Wi-Fi network name/SSID and enter new Wi-Fi security key/password again. android Your android phone may be storing your old Wi-Fi password causing

Guess Again (and Again and Again): Measuring Password Strength

Student Website Setup - Austin Community College District · Aptana, WinSCP, CoreFTP, FileZilla). Second, sites are viewed/tested via a browser. Again, username and password credentials

Available on the App Store Device management Device type ... · User register Any 7-12 digits Enter password —O Enter password again 6-16 characters, please use letters and numbers

X7 Access Control · 2017. 8. 21. · 5. En ter the new password again for authentic ation. 4. Enter a new password. (The password consists of four digits.) 6. The password is changed

workshopsc.ymcdn.com/sites/ · Adoptive immunotherapy using haploidentical natural killer ... Immunotherapy Chair: Jeffrey Molldrem Krishna Komanduri ... Dr. Rob Ploemacher

Guess again (and again and again): Measuring password ...lbauer/papers/2012/... · Abstract—Text-based passwords remain the dominant au-thentication method in computer systems,

My password is password

Password Tips · Suggested Password Strategy Create strong, memorable passphrases for your key passwords. 1. Password manager program’s master password. 2. Computer login password

Free Password Locker | Password Manager - AKick

Marathon Fundraising - Anita Komanduri, Asha Training schedule - Santhosh Padmanabhan, Coach

Guess again (and again and again): Measuring password ...lbauer/papers/2012/... · Sony Playstation, etc.), coupled with the availability of ... leaked password lists come from sites

TAXPAYER MANUAL...Page 8/ 63 Confirm Password: Input new password again. Then, Taxpayer clicks “Change” button to change password. 2.2 Save Draft Tax Return form This section shows

1 Coordinators Chapter Coordinator- Vinod Viswanath Project Coordinator- Sanjeev Ranganathan Treasurer- Anita Komanduri

Password Managers · Frank Chen | Spring 2017 CS 88S Password, Authentication, Password Managers Week 4 LastPass, a Password Manager Application

Internet password: aea8success Conceptbasedinstruction.weebly.com Password: Consortium1

ADVANCED USER’S GUIDE - Brother...re-enter the password. Setting and changing the TX Lock password 2 Note If you have already set the password, you will not need to set it again

Optimizing Password Composition Policies Jeremiah Blocki Saranga Komanduri Ariel Procaccia Or Sheffet To appear at EC 2013

EasyMail Setup is a simple and convenient email …...• Password – enter a new password • Re-enter password – confirm your new password • Forgot Password Question – choose

Jeremiah Blocki, Saranga Komanduri, Lorrie Cranor, Anupam Datta Presented by Lihua Ren

FLASCO · impressive leader, Dr. McAneny has ... Krishna V. Komanduri, ... MD Speaking on the topic of Immunotherapy in Oncology

MS Excel password recovery to crack XLSX password & Recovery Excel password

16/24-Port PoE Gigabit Managed Switch · 2018. 8. 21. · Figure 4-20 Add a user. Step 2 Input the user name and the password, and input the password again to confirm it. The password

0 Designing Password Policies for Strength and Usability€¦ · password [Kelley et al. 2012; Komanduri et al. 2011]. As a result, this simple policy based on longer passwords, despite

PSV (Password Security Visualizer): From Password Checking ...epubs.surrey.ac.uk/813690/13/psv-password-security.pdf · PSV (Password Security Visualizer): From Password Checking

RunningBall Trader Client · RunningBall Trader Client - Quick Start Guide > 7 Enter your Old password again, then type in a secure New password containing letters and numbers with