Association for Computing Machinery
In this paper, the authors attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This paper focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date.