U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Testing metrics for password creation policies by attacking large sets of revealed passwords

NCJ Number
308113
Author(s)
Matt Weir; Sudhir Aggarwal; Michael Collins; Henry Stern
Date Published
2010
Length
14 pages
Annotation

This study tests metrics for password creation policies by focusing on actual attack methodologies and real user passwords.

Abstract

In this paper the authors attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition the authors examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements. The authors model the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. (Published Abstract Provided)