Optimizing password composition policies

Jeremiah Blocki, Saranga Komanduri, Ariel D. Procaccia, Or Sheffet

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

22 Scopus citations

Abstract

A password composition policy restricts the space of allowable passwords to eliminate weak passwords that are vulnerable to statistical guessing attacks. Usability studies have demonstrated that existing password composition policies can sometimes result in weaker password distributions; hence a more principled approach is needed. We introduce the first theoretical model for optimizing password composition policies. We study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords. Our main positive result is an algorithm that - with high probability - constructs almost optimal policies (which are specified as a union of sub- sets of allowed passwords), and requires only a small number of samples of users' preferred passwords. We complement our theoretical results with simulations using a real-world dataset of 32 million passwords.

Original languageEnglish
Title of host publicationEC 2013 - Proceedings of the 14th ACM Conference on Electronic Commerce
PublisherAssociation for Computing Machinery
Pages105-122
Number of pages18
ISBN (Print)9781450319621
DOIs
StatePublished - 2013
Externally publishedYes
Event14th ACM Conference on Electronic Commerce, EC 2013 - Philadelphia, PA, United States
Duration: 16 Jun 201320 Jun 2013

Publication series

NameProceedings of the ACM Conference on Electronic Commerce

Conference

Conference14th ACM Conference on Electronic Commerce, EC 2013
Country/TerritoryUnited States
CityPhiladelphia, PA
Period16/06/1320/06/13

Keywords

  • Computational complexity
  • Password composition policy
  • Sampling

Fingerprint

Dive into the research topics of 'Optimizing password composition policies'. Together they form a unique fingerprint.

Cite this