TY - GEN
T1 - Lost in Disclosure: On the Inference of Password Composition Policies
AU - Johnson, Saul
AU - Ferreira, João
AU - Mendes, Alexandra
AU - Cordry, Julien
PY - 2020/2/13
Y1 - 2020/2/13
N2 - Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies—sets of rules that a user must abide by when creating a password—influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.
AB - Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies—sets of rules that a user must abide by when creating a password—influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.
UR - https://ieeexplore.ieee.org/abstract/document/8990228
U2 - 10.1109/ISSREW.2019.00082
DO - 10.1109/ISSREW.2019.00082
M3 - Conference contribution
SN - 9781728151380
T3 - Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019
SP - 264
EP - 269
BT - Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019
A2 - Wolter, Katinka
A2 - Schieferdecker, Ina
A2 - Gallina, Barbara
A2 - Cukier, Michel
A2 - Natella, Roberto
A2 - Ivaki, Naghmeh
A2 - Laranjeiro, Nuno
PB - IEEE
T2 - 2019 IEEE International Symposium on Software Reliability Engineering Workshops
Y2 - 27 October 2019 through 30 October 2019
ER -