Pitfalls in the Automated Strengthening of Passwords
![open_access](/assets/open_access_icon-bc813276d7282c52345af89ac81c71bae160e2ab623e35c5c41385a25c92c3b1.png)
Open Access
- Author:
- Schmidt, David Eric
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- November 08, 2013
- Committee Members:
- Trent Ray Jaeger, Thesis Advisor/Co-Advisor
Patrick Drew Mcdaniel, Thesis Advisor/Co-Advisor
Lee David Coraor, Thesis Advisor/Co-Advisor - Keywords:
- Password checking
Password creation policies
Information security
Strong authentication - Abstract:
- Passwords are the most common form of authentication for computer systems, and with good reason: they are simple, intuitive and require no extra device for their use. Unfortunately, users often choose weak passwords that are easy to guess. Various methods of helping users select strong passwords have been deployed, often in the form of requirements for the minimum length and number of character classes to use. Alternatively, a site could modify a user's password in order to make it more secure; strengthening algorithms have been proposed that extend/modify a user-supplied password until achieving sufficient strength. Researchers have suggested that it may be possible to balance password strength with memorability by limiting automated changes to one or two characters while evaluating the generated passwords' strength against known cracking algorithms. This thesis shows that passwords that were strengthened against the best known cracking algorithms are still susceptible to attack provided the adversary knows the strengthening algorithm. Two attacks are proposed: (1) by strengthening public password sets with the known algorithm, which increases the percentage of recovered passwords by a factor of 2-5, and (2) by a brute-force attack on the initial passwords and space of possible changes, recovering all passwords produced when a sufficiently weak initial password was suggested. As a result, Kerckhoffs's principle is not satisfied with respect to these automated password strengthening systems.