当前位置:
X-MOL 学术
›
arXiv.cs.CR
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection
arXiv - CS - Cryptography and Security Pub Date : 2020-07-07 , DOI: arxiv-2007.03809 Saul Johnson and Jo\~ao F. Ferreira and Alexandra Mendes and Julien Cordry
arXiv - CS - Cryptography and Security Pub Date : 2020-07-07 , DOI: arxiv-2007.03809 Saul Johnson and Jo\~ao F. Ferreira and Alexandra Mendes and Julien Cordry
The choice of password composition policy to enforce on a password-protected
system represents a critical security decision, and has been shown to
significantly affect the vulnerability of user-chosen passwords to guessing
attacks. In practice, however, this choice is not usually rigorous or
justifiable, with a tendency for system administrators to choose password
composition policies based on intuition alone. In this work, we propose a novel
methodology that draws on password probability distributions constructed from
large sets of real-world password data which have been filtered according to
various password composition policies. Password probabilities are then
redistributed to simulate different user password reselection behaviours in
order to automatically determine the password composition policy that will
induce the distribution of user-chosen passwords with the greatest uniformity,
a metric which we show to be a useful proxy to measure overall resistance to
password guessing attacks. Further, we show that by fitting power-law equations
to the password probability distributions we generate, we can justify our
choice of password composition policy without any direct access to user
password data. Finally, we present Skeptic---a software toolkit that implements
this methodology, including a DSL to enable system administrators with no
background in password security to compare and rank password composition
policies without resorting to expensive and time-consuming user studies.
Drawing on 205,176,321 pass words across 3 datasets, we lend validity to our
approach by demonstrating that the results we obtain align closely with
findings from a previous empirical study into password composition policy
effectiveness.
中文翻译:
怀疑论者:自动、合理且保护隐私的密码组合策略选择
选择在受密码保护的系统上强制执行的密码组合策略代表了一项关键的安全决策,并且已被证明会显着影响用户选择的密码对猜测攻击的脆弱性。然而,在实践中,这种选择通常并不严格或不合理,系统管理员倾向于仅根据直觉来选择密码组合策略。在这项工作中,我们提出了一种新颖的方法,该方法利用根据各种密码组合策略过滤的大量真实密码数据构建的密码概率分布。然后重新分配密码概率以模拟不同的用户密码重新选择行为,以便自动确定密码组合策略,该策略将诱导用户选择的密码以最大的均匀性分布,我们证明该指标是衡量整体阻力的有用代理密码猜测攻击。此外,我们表明,通过将幂律方程拟合到我们生成的密码概率分布,我们可以证明我们选择的密码组合策略是合理的,而无需直接访问用户密码数据。最后,我们展示了 Skeptic——一个实现这种方法的软件工具包,包括一个 DSL,使没有密码安全背景的系统管理员能够比较和排名密码组合策略,而无需求助于昂贵且耗时的用户研究。利用 3 个数据集中的 205,176,321 个密码,我们通过证明我们获得的结果与先前关于密码组合策略有效性的实证研究的结果密切相关,从而为我们的方法提供了有效性。
更新日期:2020-07-09
中文翻译:
怀疑论者:自动、合理且保护隐私的密码组合策略选择
选择在受密码保护的系统上强制执行的密码组合策略代表了一项关键的安全决策,并且已被证明会显着影响用户选择的密码对猜测攻击的脆弱性。然而,在实践中,这种选择通常并不严格或不合理,系统管理员倾向于仅根据直觉来选择密码组合策略。在这项工作中,我们提出了一种新颖的方法,该方法利用根据各种密码组合策略过滤的大量真实密码数据构建的密码概率分布。然后重新分配密码概率以模拟不同的用户密码重新选择行为,以便自动确定密码组合策略,该策略将诱导用户选择的密码以最大的均匀性分布,我们证明该指标是衡量整体阻力的有用代理密码猜测攻击。此外,我们表明,通过将幂律方程拟合到我们生成的密码概率分布,我们可以证明我们选择的密码组合策略是合理的,而无需直接访问用户密码数据。最后,我们展示了 Skeptic——一个实现这种方法的软件工具包,包括一个 DSL,使没有密码安全背景的系统管理员能够比较和排名密码组合策略,而无需求助于昂贵且耗时的用户研究。利用 3 个数据集中的 205,176,321 个密码,我们通过证明我们获得的结果与先前关于密码组合策略有效性的实证研究的结果密切相关,从而为我们的方法提供了有效性。
京公网安备 11010802027423号