skip to main content
research-article
Free access

Pushing on string: the 'don't care' region of password strength

Published: 28 October 2016 Publication History

Abstract

Enterprises that impose stringent password-composition policies appear to suffer the same fate as those that do not.

References

[1]
Bright, P. RSA finally comes clean: SecurID is compromised. Ars Technica (June 6, 2011); http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars/
[2]
Crescenzo, G.D., Lipton, R.J., and Walfish, S. Perfectly secure password protocols in the bounded retrieval model. In Proceedings of the Theory of Cryptography Conference (New York, Mar. 4--7). Springer-Verlag, 2006, 225--244.
[3]
Dunagan, J., Zheng, A.X., and Simon, D.R. Heat-Ray: Combating identity snowball attacks using machine learning, combinatorial optimization and attack graphs. In Proceedings of the ACM Symposium on Operating Systems Principles (Big Sky, MT, Oct. 11--14). ACM Press, New York, 305--320.
[4]
Florêncio, D. and Herley, C. Where do security policies come from? In Proceedings of the SOUPS Symposium On Usable Privacy and Security (Redmond, WA, July 14--16, 2010).
[5]
Florêncio, D., Herley, C., and van Oorschot, P. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In Proceedings of the 23rd USENIX Security Symposium (San Diego, CA, Aug. 20--22). USENIX Association, Berkeley, CA, 2014, 575--590.
[6]
Florêncio, D., Herley, C., and van Oorschot, P.C. An administrator's guide to Internet password research. In Proceedings of the USENIX LISA Conference (Seattle, WA, Nov. 9--14). USENIX Association, Berkeley, CA, 2014, 35--52.
[7]
Goodin, D. Why passwords have never been weaker and crackers have never been stronger. Ars Technica (Aug. 20, 2012); http://arstechnica.com/security/2012/08/passwords-under-assault/
[8]
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., and Lopez, J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy (San Francisco, May 20--23). IEEE Press, 2012, 523--537.
[9]
Komanduri, S., Shay, R., Cranor, L.F., Herley, C., and Schechter, S. Telepathwords: Preventing weak passwords by reading users' minds. In Proceedings of the 23rd USENIX Security Symposium (San Diego, CA, Aug. 20--22). USENIX Association, Berkeley, CA, 2014, 591--606.
[10]
Mazurek, M.L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Kelley, P., Shay, R., and Ur, B. Measuring password guessability for an entire university. In Proceedings of the 20th ACM Conference on Computer and Communications Security (Berlin, Germany, Nov. 4--8). ACM Press, New York, 2013.
[11]
Tippett, P. Stronger passwords aren't. Information Security Magazine (June 2001), 42--43.
[12]
Provos, N. and Mazières, D. A future-adaptable password scheme. In Proceedings of the 1999 USENIX Annual Technical Conference, FREENIX Track (Monterey, CA, June 6--11). USENIX Association, Berkeley, CA, 1999, 81--91.
[13]
RSA FraudAction Research Labs. Anatomy of a hack. RSA, Bedford, MA, Apr. 1, 2011; https://blogs.rsa.com/anatomy-of-an-attack/
[14]
Toxen, B. The NSA and Snowden: Securing the all-seeing eye. Commun. ACM 57, 5 (May 2014), 44--51.
[15]
Wheeler, D. zxcvbn: Low-budget password strength estimation. In Proceedings of the 25th USENIX Security Symposium (Austin, TX, Aug. 10--12). USENIX Association, Berkeley, CA, 2016.

Cited By

View all
  • (2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
  • (2024)PassTSL: Modeling Human-Created Passwords Through Two-Stage LearningInformation Security and Privacy10.1007/978-981-97-5101-3_22(404-423)Online publication date: 15-Jul-2024
  • (2023)No single silver bulletProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620291(947-964)Online publication date: 9-Aug-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM
Communications of the ACM  Volume 59, Issue 11
November 2016
118 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/3013530
  • Editor:
  • Moshe Y. Vardi
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2016
Published in CACM Volume 59, Issue 11

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Popular
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)313
  • Downloads (Last 6 weeks)74
Reflects downloads up to 09 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)PagPassGPT: Pattern Guided Password Guessing via Generative Pretrained Transformer2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58291.2024.00049(429-442)Online publication date: 24-Jun-2024
  • (2024)PassTSL: Modeling Human-Created Passwords Through Two-Stage LearningInformation Security and Privacy10.1007/978-981-97-5101-3_22(404-423)Online publication date: 15-Jul-2024
  • (2023)No single silver bulletProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620291(947-964)Online publication date: 9-Aug-2023
  • (2023)Costs and Benefits of Authentication AdviceACM Transactions on Privacy and Security10.1145/358803126:3(1-35)Online publication date: 13-May-2023
  • (2023)Interactions of Framing and Timing in Nudging Online Game SecurityComputers & Security10.1016/j.cose.2022.102962124(102962)Online publication date: Jan-2023
  • (2023)PiXi: Password Inspiration by Exploring InformationInformation and Communications Security10.1007/978-981-99-7356-9_15(249-266)Online publication date: 18-Nov-2023
  • (2022)Users' perceptions of chrome's compromised credential notificationProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563618(155-174)Online publication date: 8-Aug-2022
  • (2022)PasswordTensor: Analyzing and explaining password strength using tensor decompositionComputers & Security10.1016/j.cose.2022.102634116(102634)Online publication date: May-2022
  • (2022)Password guessers under a microscope: an in-depth analysis to inform deploymentsInternational Journal of Information Security10.1007/s10207-021-00560-921:2(409-425)Online publication date: 1-Apr-2022
  • (2021)Chunk-Level Password Guessing: Towards Modeling Refined Password Composition RepresentationsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484743(5-20)Online publication date: 12-Nov-2021
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media