Pitfalls in the Automated Strengthening of Passwords

Open Access
Schmidt, David Eric
Graduate Program:
Computer Science and Engineering
Master of Science
Document Type:
Master Thesis
Date of Defense:
November 08, 2013
Committee Members:
  • Trent Ray Jaeger, Thesis Advisor
  • Patrick Drew Mcdaniel, Thesis Advisor
  • Lee David Coraor, Thesis Advisor
  • Password checking
  • Password creation policies
  • Information security
  • Strong authentication
Passwords are the most common form of authentication for computer systems, and with good reason: they are simple, intuitive and require no extra device for their use. Unfortunately, users often choose weak passwords that are easy to guess. Various methods of helping users select strong passwords have been deployed, often in the form of requirements for the minimum length and number of character classes to use. Alternatively, a site could modify a user's password in order to make it more secure; strengthening algorithms have been proposed that extend/modify a user-supplied password until achieving sufficient strength. Researchers have suggested that it may be possible to balance password strength with memorability by limiting automated changes to one or two characters while evaluating the generated passwords' strength against known cracking algorithms. This thesis shows that passwords that were strengthened against the best known cracking algorithms are still susceptible to attack provided the adversary knows the strengthening algorithm. Two attacks are proposed: (1) by strengthening public password sets with the known algorithm, which increases the percentage of recovered passwords by a factor of 2-5, and (2) by a brute-force attack on the initial passwords and space of possible changes, recovering all passwords produced when a sufficiently weak initial password was suggested. As a result, Kerckhoffs's principle is not satisfied with respect to these automated password strengthening systems.