Analyzing Password Strength and Efficient Password Cracking
Department of Computer Science, College of Arts and Sciences, The Florida State University
The Florida State University, 2011
@phdthesis{yazdi2011analyzing,
title={Analyzing Password Strength and Efficient Password Cracking},
author={Yazdi, S.H.},
year={2011}
}
Passwords are still one of the most common means of securing computer systems. Most organizations rely on password authentication systems, and therefore, it is very important for them to enforce their users to have strong passwords. They usually try to enforce security by mandating users to follow password creation policies. They force users to follow some rules such as a minimum length, or using symbols and numbers. However, these policies are not consistent with each other; for example, the length of a good password is different in each policy. They usually ignore the importance of usability of the password for the users. The more complex they are the more they frustrate users and they end up with some coping strategies such as adding "123" at the end of their passwords or repeating a word to make their passwords longer, which reduces the security of the password, and more importantly there is no scientific basis for these password creation policies to make sure that passwords that are created based on these rules are resistance against real attacks. In fact, there are studies that show that even the NIST proposal for a password creation policy that results in strong passwords is not valid. This paper describes different password creation policies and password checkers that try to help users create strong passwords and addresses their issues. Metrics for password strength are explored in this paper and new approaches to calculate these metrics for password distributions are introduced. Furthermore, a new technique to estimate password strength based on its likelihood of being cracked by an attacker is described. In addition, a tool called PAM has been developed and explained in details in this paper to help users have strong passwords using these metrics. PAM is a password analyzer and modifier, which rejects weak passwords and suggests a new stronger password with slight changes to the original one to ensure the usability of the password for each individual.
November 2, 2011 by hgpu