Lost in Disclosure: On the Inference of Password Composition Policies

Saul Johnson, João Ferreira, Alexandra Mendes, Julien Cordry

Research output: Chapter in Book/Report/Conference proceedingConference contribution

35 Downloads (Pure)

Abstract

Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies—sets of rules that a user must abide by when creating a password—influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.
Original languageEnglish
Title of host publicationProceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019
EditorsKatinka Wolter, Ina Schieferdecker, Barbara Gallina, Michel Cukier, Roberto Natella, Naghmeh Ivaki, Nuno Laranjeiro
PublisherIEEE
Pages264-269
Number of pages6
ISBN (Electronic)9781728151380
ISBN (Print)9781728151380
DOIs
Publication statusPublished - 13 Feb 2020
Event 2019 IEEE International Symposium on Software Reliability Engineering Workshops - Berlin, Germany
Duration: 27 Oct 201930 Oct 2019

Publication series

NameProceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019

Conference

Conference 2019 IEEE International Symposium on Software Reliability Engineering Workshops
CountryGermany
CityBerlin
Period27/10/1930/10/19

Cite this

Johnson, S., Ferreira, J., Mendes, A., & Cordry, J. (2020). Lost in Disclosure: On the Inference of Password Composition Policies. In K. Wolter, I. Schieferdecker, B. Gallina, M. Cukier, R. Natella, N. Ivaki, & N. Laranjeiro (Eds.), Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019 (pp. 264-269). (Proceedings - 2019 IEEE 30th International Symposium on Software Reliability Engineering Workshops, ISSREW 2019). IEEE. https://doi.org/10.1109/ISSREW.2019.00082