Abstract

In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.

Date

October 4, 2010

Authors

Matt Weir, Sudhir Aggarwal, Michael Collins, Henry Stern

Book

Proceedings of the 17th ACM conference on Computer and communications security

Pages

162-175