Password Strength: An Empirical Analysis

13 years 5 months ago
Password Strength: An Empirical Analysis
—It is a well known fact that user-chosen passwords are somewhat predictable: by using tools such as dictionaries or probabilistic models, attackers and password recovery tools can drastically reduce the number of attempts needed to guess a password. Quite surprisingly, however, existing literature does not provide a satisfying answer to the following question: given a number of guesses, what is the probability that a state-of-the-art attacker will be able to break a password? To answer the former question, we compare and evaluate the effectiveness of currently known attacks using various datasets of known passwords. We find that a “diminishing returns” principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude. Even extremely powerful attackers won’t be able to guess a substantial percentage of the passwords. The resul...
Matteo Dell'Amico, Pietro Michiardi, Yves Roudier
Added 28 Jan 2011
Updated 28 Jan 2011
Type Journal
Year 2010
Authors Matteo Dell'Amico, Pietro Michiardi, Yves Roudier
Comments (0)