Cryptology ePrint Archive: Report 2015/825

The Emperor's New Password Creation Policies

Ding Wang and Ping Wang

Abstract: While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts.

We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.

Category / Keywords: applications / User authentication, Password creation policy, Password cracking, Online trawling guessing, Online targeted guessing.

Original Publication (with minor differences): 20th European Symposium on Research in Computer Security (ESORICS 2015)
DOI:
10.1007/978-3-319-24177-7_23

Date: received 24 Aug 2015, last revised 27 Aug 2015

Contact author: wangdingg at yeah net

Available format(s): PDF | BibTeX Citation

Version: 20150827:063629 (All versions of this report)

Short URL: ia.cr/2015/825

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]