Paper 2015/825
The Emperor's New Password Creation Policies
Ding Wang and Ping Wang
Abstract
While much has changed in Internet security over the past decades, textual passwords remain as the dominant method to secure user web accounts and they are proliferating in nearly every new web services. Nearly every web services, no matter new or aged, now enforce some form of password creation policy. In this work, we conduct an extensive empirical study of 50 password creation policies that are currently imposed on high-profile web services, including 20 policies mainly from US and 30 ones from mainland China. We observe that no two sites enforce the same password creation policy, there is little rationale under their choices of policies when changing policies, and Chinese sites generally enforce more lenient policies than their English counterparts. We proceed to investigate the effectiveness of these 50 policies in resisting against the primary threat to password accounts (i.e. online guessing) by testing each policy against two types of weak passwords which represent two types of online guessing. Our results show that among the total 800 test instances, 541 ones are accepted: 218 ones come from trawling online guessing attempts and 323 ones come from targeted online guessing attempts. This implies that, currently, the policies enforced in leading sites largely fail to serve their purposes, especially vulnerable to targeted online guessing attacks.
Metadata
- Available format(s)
- Category
- Applications
- Publication info
- Published elsewhere. Minor revision. 20th European Symposium on Research in Computer Security (ESORICS 2015)
- DOI
- 10.1007/978-3-319-24177-7_23
- Keywords
- User authenticationPassword creation policyPassword crackingOnline trawling guessingOnline targeted guessing.
- Contact author(s)
- wangdingg @ yeah net
- History
- 2015-08-27: revised
- 2015-08-24: received
- See all versions
- Short URL
- https://ia.cr/2015/825
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2015/825, author = {Ding Wang and Ping Wang}, title = {The Emperor's New Password Creation Policies}, howpublished = {Cryptology {ePrint} Archive, Paper 2015/825}, year = {2015}, doi = {10.1007/978-3-319-24177-7_23}, url = {https://eprint.iacr.org/2015/825} }