2. 2
This talk discusses the problems with our current methods
of measuring password strength and proposes alternatives.
What this can give us
A better alternative
What’s wrong with password complexity?
P@ssw0rd!
3. 3
• 4 digits
• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)
We usually calculate password complexity based on the
total number of possible passwords
1 2 3 4
410 = 10000
4. 4
• 6 digits
• 36 possibilities for each digit (0-9, A-Z)
We usually calculate password complexity based on the
total number of possible passwords
A 1 2 3 4 B
636 =~ 1027
5. 5
We usually calculate password complexity based on the
total number of possible passwords
636 =~ 1027
• Assuming X attempts per minute
• Calculate expected time to check all
passwords
• Mean time for a single password
• Time to exhaust entire space
6. 6
This only works if people are computers
Note: people are not computers
Password
Letmein
Voldemort
5ga9n2kfb
b29cmna0
9h8g2bgun
Password
Password
#
#
7. 7
Human nature defeats complexity
# of
occurrences
Passwords, sorted by commonality
password
bdsjgganqvoldemort
password1
bdsjgganq1voldemort1
8. 8
How wrong are our assumptions?
10 codes = 1/1000th of total passwords
Top 10 codes =~ 15% of all passcodes in use
9. 9
We need a new way of measuring complexity
# of
occurrences
Passwords, sorted by commonality
Nth
Password
password
H6#a*b7Ke
10. 10
We need a new way of measuring complexity
# of
occurrences
Passwords, sorted by commonality
Nth
Password
password
H6#a*b7Ke
11. 11
What’s needed now: analysis of password policies
# of
occurrences
Passwords, sorted by commonality
Policy 1
Policy 2
Policy 3
12. 12
What’s needed now: analysis of password policies
1. Get password dumps
2. Crack them ALL (if
hashed)
3. Run through previous
metric
4. Correlate with
applied policy
13. 13
We can actually quantify the
risk of a given password
policy!
What this gives us: the ability to quantify password policies
Which is better:Which is better:
Insisting on use of
numbers
Insisting on the use of
special characters
14. 14
We can actually quantify the
risk of a given password
policy!
What this gives us: the ability to quantify password policies
Which is better:
6 characters, must use 1
number and 1 letter
8 characters
15. 15 Questions?
Quantify the strength of a
password policy
Compare policies
State with some confidence
how many weak passwords
people will generate with
any given policy
In summary, a true measure of password policy complexity
will allow us to make informed decisions on password
policies
HUGE, when talking to business people