TC: Small: An Empirical Study of Text-based Passwords and Their Users

TC：小：基于文本的密码及其用户的实证研究

• 批准号: 1116776
• 负责人: Ljudevit Bauer
• 金额: $ 49.45万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2011
• 资助国家: 美国
• 起止时间: 2011-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1116776&HistoricalAwards=false
• 关键词: TC; Small; Empirical; Study; Text

Text-based passwords are the most commonly used mechanism for authenticating users to computer systems, but are often easy for attackers to compromise. To mitigate the danger of such attacks, system administrators use password-composition policies, which force newly created passwords to adhere to a set of requirements intended to make them harder to guess. Although it is generally believed that reasonable password-composition policies make passwords harder to guess, and hence more secure, research has not been able to precisely quantify the level of resistance to password guessing provided by different password-composition policies or the individual requirements of which they are comprised. Beyond their affect on the guessability of passwords, password-composition policies also affect users' behavior. For example, certain password-composition policies that lead to more-difficult-to-predict passwords may also lead users to write down their passwords more readily, reuse them across accounts, or forget them more often. Such behavior can both affect an adversary's ability to guess passwords, and raise the cost of administering a system.This project will substantially contribute to the understanding of the effects of password-composition policies on the security and usability of text-based passwords. The results of this research will be applicable to almost all computer systems that use text-based passwords, and will allow administrators to better select suitable password-composition policies, thus rendering them less susceptible to account compromise. More specifically, this project will involve collecting sets of passwords (or data about passwords) created under different password-composition policies and data about the associated user behaviors, and analyzing them for security and usability. Sets of up to tens of thousands of passwords or statistics about them will be collected via online studies, actual field data from two institutions, and from paper-and-pencil surveys and lab studies. This data will be analyzed using several new methods, including an approach for calculating how long it would take for various state-of-the-art password-guessing tools or algorithms to guess the passwords, and a new method for approximating the entropy of passwords from smaller datasets than was previously feasible. Based on this methodology, this research will: (1) measure the guessability of passwords generated under multiple different password-composition policies more accurately than was previously possible; (2) empirically assess the usefulness of entropy approximations (a common, but questioned, measure of password strength) as a measure of password guessability by state-of-the-art password-guessing algorithms; and (3) compare the usability of and user sentiment engendered by each password-composition policy to develop a holistic understanding of the merits of policies. This will enable the development of a set of actionable guidelines for administrators that will help them select password-composition policies appropriate for their user populations and security requirements. Two graduate students will be directly involved in this research project.

基于文本的密码是对计算机系统的用户进行身份验证的最常用机制，但通常很容易被攻击者攻破。为了减轻此类攻击的危险，系统管理员使用密码组合策略，该策略强制新创建的密码遵守一组要求，以使其更难被猜测。虽然人们普遍认为合理的密码组合策略使密码更难被猜测，从而更安全，但研究还不能精确地量化不同密码组合策略所提供的抗密码猜测的程度或它们所包含的单个要求。密码组合策略除了影响密码的可猜测性外，还会影响用户的行为。例如，某些导致密码更难预测的密码组合策略也可能导致用户更容易写下密码，跨帐户重复使用密码，或者更频繁地忘记密码。这种行为既会影响攻击者猜测密码的能力，又会增加管理系统的成本。该项目将大大有助于理解密码组合策略对基于文本的密码的安全性和可用性的影响。这项研究的结果将适用于几乎所有使用基于文本的密码的计算机系统，并将允许管理员更好地选择合适的密码组合策略，从而使他们更不容易受到帐户泄露的影响。更具体地说，该项目将包括收集在不同密码组合策略下创建的密码集（或有关密码的数据）以及相关用户行为的数据，并对其进行安全性和可用性分析。将通过在线研究、两家机构的实际现场数据、纸笔调查和实验室研究收集多达数万个密码或有关密码的统计数据。这些数据将使用几种新方法进行分析，包括计算各种最先进的密码猜测工具或算法猜测密码所需时间的方法，以及从比以前可行的更小的数据集中近似密码熵的新方法。基于该方法，本研究将：(1)比以前更准确地测量在多种不同密码组合策略下生成的密码的可猜测性；(2)通过最先进的密码猜测算法，经验性地评估熵近似（一种常见但受到质疑的密码强度度量）作为密码猜测性度量的有用性；(3)比较每个密码组合策略的可用性和用户情绪，以全面了解策略的优点。这将为管理员开发一套可操作的指导方针，帮助他们选择适合其用户群和安全需求的密码组合策略。两名研究生将直接参与这个研究项目。