poster - INSuRE

Password Policies and Their Effect on UserCreated Passwords Will Gossard, Scott Bryant, Alex Sperr Institution: University of Maryland, Baltimore County

Introduction

Results

● The main goal of this project was to conduct a statistical analysis of multiple leaked and cracked password databases with respect to their password policies. ● Passwords are a weak security system and these policies are used in an attempt to make the passwords more ‘secure’.

The Pipal analysis yielded many facets of statistical and grammatical analysis for the databases. These included: frequency of base words, distribution of the length of the password, the common number sequences and character sets, possible references to dates, area codes and zip codes, character set ordering, and hashcat masks. The length distribution, a word cloud of the common base words, and the character sets of each database are shown below.

Password Length

● It is not the password system that causes problems to the security of the system; it is the user.

Background and Previous Research ● The field of passwords and their security is both large and varied. Because of this, the amount of previous research done on this topic is staggering. Some of this research include: Campbell, et.al.[4] Work on the human psychology behind password choices

Blocki, et.al.[8] Algorithm that selects the optimal password policy based on user prefered passwords

Weir, et.al.[10] Character Sets

Analysis of password metrics

Shay and Bertino[14]

Base-Word Word Cloud

Simulating user password creation under different policies

RockYou

● We had to closely examine previous work to ensure that this project and its methodology has not already been completed prior to our research. We concluded, after an extensive literature review, that no previous research project had analyzed several real-world password databases to determine the effect that the various password policies have on the security of the passwords.

Facebook

Hotmail

Database

Policy

Size(Passwords)

Year

Facebook

Minimum 6 chars

18779

2012

Yahoo Voice

No minimum, Max 32 chars

442835

2012

RockYou

Minimum 5 chars, no special chars

14344313

2009-12

Minimum of 6 Chars

8930

Hotmail

Yahoo Voice

Conclusions ●

●

The differences in the policies had a minimal impact on the security of the passwords. ○ Cracking times were, on average, the same ○ Lengths were always near the minimum required ○ The exception to this was Yahoo Voice. ● According to its password policy, it did not have a minimum password length, but, interestingly, it had a higher average password length when compared to the other databases. Stricter policies ≠ More security ○ Users tend to pick the most memorable password [1,2] ○ Adversaries will adapt and take advantage of this Eventually need a replacement system ○ The replacement needs to not rely on human memorization

The resulting data from each database consisted of an analyzed and parsed form of the databases, and a file of the randomly selected cracked and uncracked password hashes. The cracking results for each databases varied by a large margin. A large percentage of passwords from each databases were cracked within the allotted hour or just over an hour. The remaining passwords were not cracked in the time allotted, and , even in some cases, when left to run for a longer period of time (i.e. upto 12 hours)

●

●

Facebook

Yahoo Voice

Only lowercase alpha

3716 (41.61%)

3726656 (25.98%)

4837 (25.76%)

146512 (33.09%)

Only alpha

3913 (43.82%)

3956549 (27.58%)

4942 (26.32%)

148288 (33.49%)

Only numeric

1654 (18.52%)

2346842 (16.36%)

6455 (34.37%)

26095 (5.89%)

Yahoo Voice

6

1823 (20.41%)

1947848 (13.58%)

5656 (30.12%)

79626 (17.98%)

7

1306 (14.62%)

2506256 (17.47%)

2651 (14.12%)

65609 (14.82%)

8

1769 (19.81%)

2965991 (20.68%)

2834 (15.09%)

119133 (26.9%)

9

1098 (12.3%)

2190993 (15.27%)

1769 (9.42%)

65963 (14.9%)

10

773 (8.66%)

2013686 (14.04%)

2027 (10.79%)

54757 (12.37%)

Figure 1.2: Number of passwords with the accompanying percentages for the corresponding lengths

Reliability of news sources ○ Are we sure of the policies? Reliability of the source of the leaked databases ○ How are we sure that these are the correct databases? Unfortunately, unable to confirm either without actually communicating with the administrators of the websites

Future Work ●

● ●

Figure 1.1: This figure depicts the password policies of their respective databases.

Data

●

●

Rockyou

Facebook

Possible Sources of Error

2011

Hotmail

Rockyou

On a cursory observation of the most common base words, it is apparent that the demographics and culture of the people creating the passwords greatly influences password choices. For example, the use of the words ‘diciembre’ and ‘abril’ in the Hotmail database strongly suggest a Spanish speaking user base. An attacker with this knowledge can tailor their attack to try the lexicon of the specific user base.

●

Character length

Hotmail

Number of passwords in each database with corresponding: only lowercase alpha in password, only alpha in password, and only numeric in password. The format being ‘total number(total %)’.

Methods ● Obtain password databases and corresponding policies. ○ These include: Facebook, Yahoo Voice, RockYou and Hotmail ● Grammatical and statistical analysis ○ Used Pipal, an open-source password database analyzer ● Testing the security of the passwords via an open-source password hash cracker ‘John the Ripper’. ○ Randomly selected 100 passwords from each database ○ Hashed the passwords using the md5 algorithm ○ Recorded the time to crack each password with a cutoff for most of the passwords at 1 hour

Database:

Allow the password hash cracker more time to crack the password hashes. ○ Or obtain a more powerful computer Implement our secondary plan ○ User study Process more databases with more policies Examine average entropy against either the entire database or a random sample

Bibliography [1] Abe Singer, Warren Anderson, Rik Farrow. “Rethinking Password Policies”. August 2013. https://www.usenix.org/sites/default/files/rethinking_password_policies_unabridged.pdf [2] Ashwini Rao, Birendra Jha, Gananand Kini. “Effect of Grammar on Security of Long Passwords”. 3rd ACM Conference on Data and Application Security and Privacy (CODASPY'13), San Antonio, Texas, Feb. 2013 [3] Bonneau, Joseph, (2011), University of Cambridge. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 million passwords.” Retrieved web. 21 Feb. 2014. http://www.jbonneau. com/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf [4] Campbell J. et.al. (2010). “Impact of Restrictiveness Composition Policy on User Password Choices”. Vol. 30 issue 3, p379-388; retrieved from: http://web.b.ebscohost.com.proxy-bc. researchport.umd.edu/ehost/pdfviewer/pdfviewer?sid=0b727b22-c98e-4864-8a57-4507c5137a6d%40sessionmgr114&vid=10&hid=118 [5] Cazier, J. A. & Medlin, B. D. (2006). “How Secure is Your Password? An Analysis of E-Commerce Passwords”.Journal of Information Systems Security, 2 (3), 68-81. [6] Dell'Amico, M. & Michiardi P. & Roudier Y. “Password strength: an empirical analysis”, Proceedings of the 29th conference on Information communications, p.983-991, March 14-19, 2010, San Diego, California, USA [7] Department of Defense (1965). “Password Management Guideline” Retrieved web. 21 Feb. 2014. http://www.fas.org/irp/nsa/rainbow/std002.htm [8] Jeremiah Blocki, Saranga Komanduri, Ariel Procaccia, and Or Sheffet. (2013). “Optimizing password composition policies”. In Proceedings of the fourteenth ACM conference on Electronic commerce (EC '13). ACM, New York, NY, USA, 105-122. DOI=10.1145/2482540.2482552 http://doi.acm.org.proxy-bc.researchport.umd.edu/10.1145/2482540.2482552 [9] Kacherginsky, P. (2013) "Automatic Password Rule Analysis and Generation." thesprawl.org. Retrieved web. 3 Feb. 2014. http://thesprawl.org/research/automatic-password-rule-analysisgeneration/. [10] Matt Weir, Sudhir Aggarwal, Michael Collins, and Henry Stern. (2010). “Testing metrics for password creation policies by attacking large sets of revealed passwords”. In Proceedings of the 17th ACM conference on Computer and communications security (CCS '10). ACM, New York, NY, USA, 162-175. DOI=10.1145/1866307.1866327 http://doi.acm.org.proxy-bc.researchport.umd. edu/10.1145/1866307.1866327 [11] Mazurek, M. , et.al. (2013), Carnegie Mellon University. “Measuring Password Gussability for an Entire University. Retrieved web . 19 Feb. 2014. https://www.cylab.cmu. edu/files/pdfs/tech_reports/CMUCyLab13013.pdf [12] NIST Special Publication 800-63-2. Aug 2013. “Electronic Authentication Guideline”. Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf [13] Philip G. Inglesant and M. Angela Sasse. (2010). “The true cost of unusable password policies: password use in the wild”. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '10). ACM, New York, NY, USA, 383-392. DOI=10.1145/1753326.1753384 http://doi.acm.org.proxy-bc.researchport.umd.edu/10.1145/1753326.1753384 [14] Shay, Richard; Bertino, Elisa .(2009). “A comprehensive simulation tool for the analysis of password policies” Vol. 8 Issue 4, p275-289; retrieved from: http://web.a.ebscohost. com/ehost/pdfviewer/pdfviewer?sid=2c196a6f-b6a7-430f-b3f9-095186691a72%40sessionmgr4001&vid=2&hid=4214 [15] Wood, Robin. “Pipal, Password Analyser” Retrieved from: http://www.digininja.org/projects/pipal.php [16] Openwall. “John the Ripper password cracker” Retrieved from http://www.openwall.com/john/

Acknowledgements We would like to acknowledge Dr. Alan Sherman for his criticism and help in this project, as well as, the people at Purdue, the NSA and AIS who without their cooperation and encouragement, this class and this project would not exist.

Contact Information Will Gossard , UMBC Undergraduate Major: Comp Sci Scott Bryant , UMBC Undergraduate Major: Comp Sci Alex Sperr , UMBC Undergraduate Major: Comp Sci