Studies in Password Creation and Password Cracking

Passwords are everywhere. In spite of the increased popularity of graphical and biometric authentication mechanisms, the single password is still the most commonly used method of authentication. Research released in 2017 by Dashlane, a maker of password management software, reveals that the average American has 150 accounts requiring passwords. The company projects that number to grow to 300 passwords within the next 5 years. Without leveraging password management systems to manage these vast numbers of accounts, users are likely to reuse passwords across multiple accounts. Research by cyber risk management company Digital Shadows suggests that 97% of the companies in the Fortune 1000 have credentials exposed due to a combination of employee password reuse and hacks of other companies. Research has been conducted to discover how easily a known password can be used to derive a user’s other passwords.

S.M. Taiabul Haque, Matthew Wright, and Shannon Scielzo (2014) propose a hierarchical model for categorizing users’ web passwords. The model they introduce consists of password tiers or levels. Lower-level passwords would consist of, for example, social media or streaming media service passwords. Higher-level passwords would consist of banking or other finance-related passwords. Haque et al. suggested that the compromise of a lower-level password would be enough to make users’ higher-level accounts more susceptible to password attacks. They conducted a study in which subjects were asked to construct passwords at the higher and lower levels. By utilizing the known lower-level passwords, Haque et al. were able to successfully crack nearly one-third of the higher-level passwords via dictionary attacks.

Also interesting are the effects that password policies have on the way users construct passwords. Much industry research leads to the conclusion that policies requiring users to add special characters and numbers do not increase the entropy of a password as much as password length does. Users often add special characters and numbers in predictable ways. As a result, specialized password cracking methods are evolving to account for user predictability. For example, users may simply append a year to their password or capitalize the first letter of a word in order to comply with a password policy.

P.G. Kelley et al. (2014) introduce the process they developed for calculating the efficacy of certain password-guessing algorithms. The group conducted a study in which subjects online created passwords under seven different password composition policies. Kelley et al. noticed a lack of research comparing password composition policies against password-guessing mechanisms. The group’s objective was to use their process for comparing password-guessing algorithms to determine the resistance of passwords created under various policies to being guessed. Connections between guessability and entropy estimates are also investigated.

There are many more studies that have been conducted on password habits, password cracking methods, and novel authentication approaches. Humans are naturally lacking in the areas of randomness. Additionally, humans simply cannot be expected to commit 150 or more unique, strong passwords to memory. In the worst case, users reuse the same password across every account. In the best case, they use strong, random passwords unique to each account in their control. The papers featured serve to bridge the gap between predictability in human password construction and the analysis of algorithms and password-cracking methodologies.

v1.0