Lost in Disclosure: On The Inference of Password Composition Policies

• URL: http://arxiv.org/abs/2003.05846v2
• Date: Fri, 15 Mar 2024 10:37:51 GMT
• Title: Lost in Disclosure: On The Inference of Password Composition Policies
• Authors: Saul Johnson, João Ferreira, Alexandra Mendes, Julien Cordry,
• Abstract summary: We study how password composition policies influence the distribution of user-chosen passwords on a system. We suggest a simple approach that produces more reliable results. We present pol-infer, a tool that implements this approach, and demonstrates its use inferring password composition policies.
• Score: 43.17794589897313
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Large-scale password data breaches are becoming increasingly commonplace, which has enabled researchers to produce a substantial body of password security research utilising real-world password datasets, which often contain numbers of records in the tens or even hundreds of millions. While much study has been conducted on how password composition policies (sets of rules that a user must abide by when creating a password) influence the distribution of user-chosen passwords on a system, much less research has been done on inferring the password composition policy that a given set of user-chosen passwords was created under. In this paper, we state the problem with the naive approach to this challenge, and suggest a simple approach that produces more reliable results. We also present pol-infer, a tool that implements this approach, and demonstrates its use in inferring password composition policies.

Related papers

• A Large-Scale Survey of Password Entry Practices on Non-Desktop Devices [2.8698289487200856]
  We find that password entry on devices without password managers is a common occurrence and comes with significant usability challenges. These challenges lead users to weaken their passwords to increase the ease of entry. We conclude this paper with a discussion of how future research could address these challenges and encourage users to adopt generated passwords.
  arXiv  Detail & Related papers  (2024-09-04T19:28:36Z)
• Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
  We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
  arXiv  Detail & Related papers  (2024-05-24T07:51:15Z)
• CodeChameleon: Personalized Encryption Framework for Jailbreaking Large Language Models [49.60006012946767]
  We propose CodeChameleon, a novel jailbreak framework based on personalized encryption tactics. We conduct extensive experiments on 7 Large Language Models, achieving state-of-the-art average Attack Success Rate (ASR) Remarkably, our method achieves an 86.6% ASR on GPT-4-1106.
  arXiv  Detail & Related papers  (2024-02-26T16:35:59Z)
• PassViz: A Visualisation System for Analysing Leaked Passwords [2.2530496464901106]
  PassViz is a command-line tool for visualising and analysing leaked passwords in a 2-D space. We show how PassViz can be used to visually analyse different aspects of leaked passwords and to facilitate the discovery of previously unknown password patterns.
  arXiv  Detail & Related papers  (2023-09-22T16:06:26Z)
• PassGPT: Password Modeling and (Guided) Generation with Large Language Models [59.11160990637616]
  We present PassGPT, a large language model trained on password leaks for password generation. We also introduce the concept of guided password generation, where we leverage PassGPT sampling procedure to generate passwords matching arbitrary constraints.
  arXiv  Detail & Related papers  (2023-06-02T13:49:53Z)
• RiDDLE: Reversible and Diversified De-identification with Latent Encryptor [57.66174700276893]
  This work presents RiDDLE, short for Reversible and Diversified De-identification with Latent Encryptor. Built upon a pre-learned StyleGAN2 generator, RiDDLE manages to encrypt and decrypt the facial identity within the latent space.
  arXiv  Detail & Related papers  (2023-03-09T11:03:52Z)
• Targeted Honeyword Generation with Language Models [5.165256397719443]
  Honeywords are fictitious passwords inserted into databases to identify password breaches. Major difficulty is how to produce honeywords that are difficult to distinguish from real passwords.
  arXiv  Detail & Related papers  (2022-08-15T00:06:29Z)
• Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection [44.040106718326605]
  The choice of password composition policy to enforce on a password-protected system represents a critical security decision. In practice, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. We propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data.
  arXiv  Detail & Related papers  (2020-07-07T22:12:13Z)
• Shades of Perception- User Factors in Identifying Password Strength [0.0]
  The purpose of this study was to measure whether participant education, profession, and technical skill level exhibited a relationship with identification of password strength. A Chi-square test of independence was used to measure relationships between education, profession, technical skill level relative to the frequency of weak and strong password identification. The results demonstrate a need for further investigation into why users continue to rely on weak passwords.
  arXiv  Detail & Related papers  (2020-01-14T17:45:40Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.