Carnegie Mellon University
Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers' capabilities to perform password cracking. In response to this threat, password composition policies have grown increasingly complex. However, there is insufficient research defining metrics to characterize password strength and using them to evaluate password-composition policies. In this paper, the authors analyze 12,000 passwords collected under seven composition policies via an online study. They develop an efficient distributed method for calculating how effectively several heuristic password-guessing algorithms guess passwords.