Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Published byHarvey Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle."— Presentation transcript:

1 Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez. In 2012 IEEE Symposium on Security and Privacy (SP), pp IEEE, 2012 Presented by Rain Qin

2 Paper Summary In this paper, the authors analyzed a dataset of 12,000 plaintext passwords collected under different password-composition policies through using Amazon’s Mechanical Turk crowdsourcing service. They implemented two guess-number calculators Weir algorithm calculator BFM algorithm calculator They found the dictionary effectiveness check depends on the choice of dictionary effective attacks on passwords created under complex policies require access to closely matched training data In these different password-composition policies, one called basic16 is the best choice

3 Policies basic8survey:Password must have at least 8 characters
(e.g. awordpswd) dictionary8:Password must have at least 8 characters.It may not contain a dictionary word (e.g. asdfghjk) comprehensive8: Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.(e.g. *IK<;lo9) basic16:Password must have at least 16 characters. (e.g. qwertyuioplkjhgf)

4 Cracked Result Use weir calculator

5 Cracked Result Use BFM calculator

6 Conclusion Basic16 is superior against large numbers of guesses.
Two guess-number calculators reveal basic16 is the best policy choice.

7 Thank you~

8 Concepts Amazon Mechanical Turk (ref Policies: basic8: Participants were given the scenario and the composition policy “Password must have at least 8 characters.” Only the scenario differs from basic8survey. blacklistEasy: Password must have at least 8 characters. It may not contain a dictionary word. blacklistMedium: Same as the blacklistEasy condition, except the authors used the paid Openwall list blacklistHard: Same as the blacklistEasy condition, except the authors used a five-billion-word dictionary created using the algorithm outlined by Weir Two guess-number calculators Brute-force algorithm loosely based on the Markov model Heuristic algorithm proposed by Weir

9 Poor Practicality hard to remember

10 Poor Practicality (cont.)
" gi1%isbrt,90%psbrt. " motto / dictum "Genius is one percent inspiration, ninety-nine percent perspiration."

Download ppt "Guess again (and again and again) Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle."

Similar presentations

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.

Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook Presenter: Arvie Carpio Y. Wang, S. Komanduri, P.G. Leon, G. Norcie,

“I regretted the minute I pressed share”: A Qualitative Study of Regrets on Facebook Presenter: Arvie Carpio Y. Wang, S. Komanduri, P.G. Leon, G. Norcie,
251959084756578934940271832400483985714 292821262040320277771378360436620207075 955562640185258807844069182906412495150 821892985591491761845028084891200728449.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.

Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords Jeremiah Blocki Saranga Komanduri Lorrie Cranor Anupam Datta NDSS 2015.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Patrick Gage Kelley, Saranga Komanduri, Michelle.
Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern Presented by Erik Archambault.
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms by Patrick Gage Kelley, Saranga Komanduri, Michelle.
Www.durham.ac.uk/cmp Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.

Centre for Materials Physics Presentation by Peter Byrne Creating and using Strong Passwords Superconductivity Group.
Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.

Cryptography. 2 Objectives Explain common terms used in the field of cryptography Outline what mechanisms constitute a strong cryptosystem Demonstrate.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
Tom Parker Project Manager Identity Management Team IT Security Group.

Tom Parker Project Manager Identity Management Team IT Security Group.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.

Online Job Applications. Course Outline Review resources & information needed to complete an online application Practice filling out a job application.
Password Management PA Turnpike Commission

Password Management PA Turnpike Commission
On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology.

On the Security of Picture Gesture Authentication Ziming Zhao †‡, Gail-Joon Ahn †‡, Jeong-Jin Seo †, Hongxin Hu § † Arizona State University ‡ GFS Technology.
1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.
Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.

Password Management. Password Protection Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password.
Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Chapter-2 Identification & Authentication. Introduction  To secure a network the first step is to avoid unauthorized access to the network.  This can.

Similar presentations

Ads by Google