Password exhaustion: Predicting the end of password usefulness

Luke St. Clair, Lisa Johansen, William Enck, Matthew Pirretti, Patrick Traynor, Patrick McDaniel, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Citations (Scopus)

Abstract

Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

Original languageEnglish (US)
Title of host publicationInformation Systems Security - 2nd International Conference, ICISS 2006, Proceedings
EditorsVijayalakshmi Atluri, Aditya Bagchi
PublisherSpringer Verlag
Pages37-55
Number of pages19
ISBN (Print)9783540689621
StatePublished - Jan 1 2006
Event2nd International Conference on Information Systems Security, ICISS 2006 - Kolkata, India
Duration: Dec 19 2006Dec 21 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4332 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other2nd International Conference on Information Systems Security, ICISS 2006
CountryIndia
CityKolkata
Period12/19/0612/21/06

Fingerprint

Password
Authentication
Attack
Analytical models
Entropy
Empirical Study
Analytical Model
Sufficient
Computing
Evaluate
Demonstrate

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

St. Clair, L., Johansen, L., Enck, W., Pirretti, M., Traynor, P., McDaniel, P., & Jaeger, T. (2006). Password exhaustion: Predicting the end of password usefulness. In V. Atluri, & A. Bagchi (Eds.), Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings (pp. 37-55). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4332 LNCS). Springer Verlag.
St. Clair, Luke ; Johansen, Lisa ; Enck, William ; Pirretti, Matthew ; Traynor, Patrick ; McDaniel, Patrick ; Jaeger, Trent. / Password exhaustion : Predicting the end of password usefulness. Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings. editor / Vijayalakshmi Atluri ; Aditya Bagchi. Springer Verlag, 2006. pp. 37-55 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{ccf3952b69ef4777b77af1ec071b1b8a,
title = "Password exhaustion: Predicting the end of password usefulness",
abstract = "Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.",
author = "{St. Clair}, Luke and Lisa Johansen and William Enck and Matthew Pirretti and Patrick Traynor and Patrick McDaniel and Trent Jaeger",
year = "2006",
month = "1",
day = "1",
language = "English (US)",
isbn = "9783540689621",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "37--55",
editor = "Vijayalakshmi Atluri and Aditya Bagchi",
booktitle = "Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings",
address = "Germany",

}

St. Clair, L, Johansen, L, Enck, W, Pirretti, M, Traynor, P, McDaniel, P & Jaeger, T 2006, Password exhaustion: Predicting the end of password usefulness. in V Atluri & A Bagchi (eds), Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4332 LNCS, Springer Verlag, pp. 37-55, 2nd International Conference on Information Systems Security, ICISS 2006, Kolkata, India, 12/19/06.

Password exhaustion : Predicting the end of password usefulness. / St. Clair, Luke; Johansen, Lisa; Enck, William; Pirretti, Matthew; Traynor, Patrick; McDaniel, Patrick; Jaeger, Trent.

Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings. ed. / Vijayalakshmi Atluri; Aditya Bagchi. Springer Verlag, 2006. p. 37-55 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4332 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Password exhaustion

T2 - Predicting the end of password usefulness

AU - St. Clair, Luke

AU - Johansen, Lisa

AU - Enck, William

AU - Pirretti, Matthew

AU - Traynor, Patrick

AU - McDaniel, Patrick

AU - Jaeger, Trent

PY - 2006/1/1

Y1 - 2006/1/1

N2 - Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

AB - Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

UR - http://www.scopus.com/inward/record.url?scp=84994436127&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994436127&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84994436127

SN - 9783540689621

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 37

EP - 55

BT - Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings

A2 - Atluri, Vijayalakshmi

A2 - Bagchi, Aditya

PB - Springer Verlag

ER -

St. Clair L, Johansen L, Enck W, Pirretti M, Traynor P, McDaniel P et al. Password exhaustion: Predicting the end of password usefulness. In Atluri V, Bagchi A, editors, Information Systems Security - 2nd International Conference, ICISS 2006, Proceedings. Springer Verlag. 2006. p. 37-55. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).